Cyber actors linked to China have compromised over 260,000 devices with the goal of creating a botnet, the FBI reported this week together with the U.S. Cyber National Mission Force and National Security Agency. Of those devices, thousands are located in the Netherlands, the Dutch NCSC and the Digital Trust Center announced.
What are botnets?
A botnet is a network of devices connected to the internet that have been infected with malware and are controlled remotely by a cybercriminal, often without the owners’ knowledge. These devices, which can include computers, smartphones, routers, and Internet of Things (IoT) gadgets, are used collectively to perform various malicious activities. The devices in a botnet are often referred to as “bots” or “zombies.”
The actors may use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted networks. Other attacks through botnets include large-scale spam attacks, data theft, cryptojackings, and spreading malware to further infect devices.
One of the most notable examples of a botnet attack was the Mirai botnet, the first major botnet to infect insecure IoT devices. It was first discovered in 2016 and became infamous for being behind some of the largest DDoS attacks ever recorded, leaving much of the internet inaccessible on the U.S. east coast. At its peak, the worm infected over 600,000 devices. And what’s more, the malware wasn’t the work of a nation-state: the botnet was created by college students looking to gain an edge in Minecraft.
What to do next?
In this case, the FBI found that the infected internet-connected devices included small office/home office routers, firewalls, network-attached storage and IoT devices.
Where possible, owners of the affected devices will be notified, the Digital Trust Center said. However, given the fact that the devices are hard to link to owners, this will only cover a small percentage of the total number of affected devices in the Netherlands.
The DTC therefore also refers to Appendix B (p. 11) of the FBI report, which shows a list of (former) security holes that have been used to connect devices from suppliers to the botnet. Additionally, the DTC and National Cyber Security Center also recommend checking SOHO devices for updates and implementing them when an update is available.
Protecting your IoT environment
Devices that are directly connected to the internet are vulnerable. It is especially important to maintain good basic hygiene with these types of devices, the DTC highlights, referring to resources on the protection of your IoT environment.
Given the fact that most infected devices included Small Office en Home Office (SOHO) devices, the botnet find is a good reminder to implement and reinforce security strategies around working-from-home policies.
Basic cyber hygiene practices should include, among others, using strong passwords, enabling multi-factor authentication, updating software and devices in a timely manner, limiting access and permissions, using antivirus software, securing WiFi networks, creating backups, and encrypting sensitive data.