Over the past several months, the FortiGuard Labs team has been tracking a number of evolving trends related to the FortiGuard 2018 Threat Landscape Predictions article published just before the beginning of the year. This mid-year update provides new details concerning recent advances in some of the techniques and malware tied to those predictions. In particular, the accelerated development of several precursors of Swarmbots and Hivenets are especially worth revisiting. Others include the increased targeting of critical infrastructure, the development of automation in malware exploits, and the use of blockchain technology to anonymize the command and control of botnets.
Of course, these trends aren’t happening in isolation. These threat trends are beginning to overlap at the same time that digital transformation is driving the convergence of traditionally isolated networks, including the growing integration of IT and OT networks within a single enterprise, along with the convergence of large systems to support massive, hyperconnected environments such as smart cities. For example, as developers actively add automation and new SCADA-focused exploits to their malware, they can be used to not only target traditional networks but OT networks as well, thereby enabling them to take out critical infrastructure. And to protect these attackers, we also see the emergence of blockchain-based command and control systems to protect the criminal organizations or nation-states that launch such attacks
Hivenets and Swarmbots
I have written several times about the next step in the evolution of botnets being a scalable architecture based on integrated and autonomous swarm intelligence. Swarm-based attacks can significantly decrease the time needed to breach a system by leveraging things like stigmergy, which is a consensus-based social network mechanism of indirect coordination between agents. Swarm-based insect colonies such as ants and bees use this process to manage the collection and distribution of resources and workloads. Likewise, artificial swarms can quickly share collected intelligence, accelerate trial and error, and then apply specific attacks to a vulnerability by leveraging those specialized members of the swarm armed with specific exploits. Not only will this emerging development accelerate the time required to breach a system, but the sheer volume that can be applied by a swarm-based botnet targeting multiple devices and exploits simultaneously can quickly overwhelm traditional defense systems.
The Hide ‘N Seek IoT botnet, first detected this past spring, has moved the bar significantly closer to enabling a botnet to function as a swarm. It communicates in a complex and decentralized manner using custom-built peer-to-peer communication to implement a variety of malicious routines. It also leverages multiple anti-tampering techniques to prevent a third party from hijacking or poisoning it, and it is also the first IoT botnet malware strain that can survive device reboots and still remain on compromised devices.
Hide ‘N Seek also supports bidirectional commands, enabling a single node within a larger botnet to request and receive a response, thereby enabling it to execute a variety of exploits against a growing number of devices simultaneously rather than delivering a single, pre-programmed payload, such as was used by Mirai. This development is especially critical for achieving the sort of communication-feedback mechanisms required for a swarm to operate autonomously.
It is also the first in-the-wild malware to actively target home automation systems. FortiGuard Labs has been monitoring this botnet malware carefully since researchers first discovered it at the start of the year. And while it initially targeted routers, IP cameras, and DVRs, its latest iteration now also targets cross-platform database solutions and smart home devices.
Given that the number of connected IoT devices is predicted to reach 20.4 billion by 2020, and that end users are deploying a growing segment of these devices for home and business automation, it is easy to predict that this area will continue to be a high-priority focus for cybercriminal and nation-state actors for a long time to come.
Targeting Critical Infrastructure
As we have seen with Hide ‘N Seek, cybercriminals are maximizing the impact of botnets by loading them with multiple malicious attacks. WICKED, another Mirai-based botnet variant, recently added at least three new exploits to its toolkit, enabling it to target unpatched IoT devices better. And VPNFilter, the advanced nation-state-sponsored attack, is also able to target SCADA/ICS environments. VPNFilter represents a significant new threat because it not only performs data exfiltration but can also render devices, including industrial control systems, completely inoperable. It can shut off compromised devices individually, or shut them all off simultaneously using a centralized trigger.
VPNFilter was first documented and shared with the Cyber Treat Alliance (CTA) this past May, an organization co-founded by Fortinet and made up of leading security research teams, and is part of another line of IoT-targeted threats that we have been tracking over the past few years. In addition to targeting a growing number of IoT-based devices, compromising hundreds of thousands of routers and switches, it also targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and then exfiltrating website credentials that can then be used to infiltrate critical infrastructure environments. Modbus is an open serial communications protocol developed for use with Programmable Logic Controller (PLC) devices in OT environments, and OT operators widely use it for connecting different types of industrial electronic devices across a variety of networks.
Like Hide ‘N Seek, VPNFilter can also perform a wide variety of compromises, including data exfiltration, command execution, file collection, and device management, and as mentioned previously, it can also render infected devices inoperable, enabling it to take a network or network segment offline with a single command.
Enhancing the Dark Web Economy through Automation
Adding automation to malware is critical if cybercriminals want to be able to outperform today's network security tools. Criminal developers are also adding automation to the advanced services they are offering on dark web marketplaces. And it is also a critical step along the path towards implementing machine learning, and eventually, AI to cyber attacks.
AutoSploit is a mass exploiter that automates the exploitation of remote hosts. It collects specific targets through advanced online search engines such as Shodan or Zoomeye that are designed to locate specific connected devices and includes the option to customize targets and host lists. The program allows a criminal to enter a platform-specific search query and it then generates a list of candidates. Once a hacker has selected the devices to attack, AutoSploit then leverages the Metasploit library of penetration tools to automatically match the targets with all related exploits. It then systematically fires those exploits at those devices until one of them breaks through. A successful breach is then reported back using a proxy and custom user agent to prevent tracing the traffic back to the operator.
Because it is open source, even individuals with limited technical skills can now run their cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system, exponentially increasing the opportunity to steal data or deliver ransomware successfully. The increased use of automation will continue to have a powerful impact on the ROI of current or future cybercriminal enterprises and will help drive a continuing and growing interest in its potential earning power. ROI is also a key driver of the ongoing development of swarm technology, helping to optimize business functions for cybercriminals through such things as agile development, distributed resources, decentralized C2, and autonomous adaptability through a combination of machine learning and specialized swarmbots functioning as a part of an integrated swarm community.
Because cybercriminal groups function as a business, they make decisions about their use of, and investment in resources the same way any legitimate enterprise does. The decision either buy, build, or reuse an existing exploit depends upon a financial model that assesses their current assets—such as human skillset and tools (such as pre-written exploits and available infrastructure), along with their cash flow—and then makes decisions based on risk versus ROI.
If, for example, they don’t have any new zero-day exploits available for a planned spearphishing attack, they may research and develop a new one. But it might be more cost-effective to simply buy one on the darknet. Given the growing complexity of both the networks cybercriminals are targeting and the malware required to compromise them, it is difficult for one criminal enterprise to excel at all parts of the attack chain. This is why cybercriminals today tend to specialize in specific areas, such as writing their own tools or managing data (which they can also resell), and then combining it either with what is already available on the open source market or buying or commissioning what’s not.
Creating Swarm Networks
Tools like AutoSploit are another critical building block in enabling people to build the new generation of swarm networks. By inserting this automated functionality into a botnet of compromised devices, attacks will be able to function as part of a cooperative, integrated system. Automation is a tremendous cost-reduction tool for an attacker because it removes the overhead associated with using a human monitor who has to decide every step in an attack. Automating swarm networks is a significant step forward because using people to control large networks is extraordinarily inefficient in terms of response times, especially when the attack surface is a heterogeneous mix of different OS and device types that require separate mechanisms for launching an exploit, delivering a payload, exfiltrating data, and reacting to detection.
Using Blockchain for command and control
As organizations like the FBI and Interpol work harder to track and arrest cyber attackers, criminals are being forced to look for new ways to avoid detection, attribution, and capture. Bitcoin taught us it was possible to build systems that are deployed between multiple entities to conduct transactions without compromising the privacy of individual participants. This ability makes Blockchain a desirable candidate for creating anonymous C2 systems. Until recently, however, this was just a theory. But now, security researcher Omer Zohar has successfully used blockchain technology to create a takedown-resistant, command-and-control infrastructure for botnets built on top of the Ethereum network.
The biggest challenge of any botnet is maintaining communication with its controller. C2 communications are the weakest link in any botnet environment, exposing a bot herder to detection and takedown. An interesting development, therefore, is the integration of several elements into a single solution: 1) using automation to build swarms, 2) leveraging swarm intelligence for resource utilization, and 3) using Blockchain for a secure last point of contact/communication with an autonomous swarm to replace more vulnerable C2 solutions such as Fast Flux networks (a technique used by botnets to hide malware delivery sites) or P2P communications.
While most people only consider Blockchain in terms of digital currencies, they can also be used to ensure a wide range of functionalities. For example, secure blockchain communications are immune to data modifications, eavesdropping, MITM attacks, and replay attacks. They also ensure high availability, as the node is always able to find the C2 server. It is also highly scalable; it can support any number of implants and any load of transactions and is only limited by the overhead required to run the blockchain. Because only valid implants can connect, it can also prevent things like replays and honeypotting. One of the most critical advantages of blockchain technology is anonymity. Since it hinders law enforcement from gathering information on network operators, it represents a dangerous new challenge. And because there is no single point of failure, and the lack of a logic path prevents an adversarial takeover of the network, it is also takedown resistant.
However, there are also cost implications of using blockchain. For example, as of August 11, 2018, the maximum block limit is 6,700,000, which means a node can only write 10720 bytes in a transaction. And that transaction will cost $8.60, with an average completion time of 1733 seconds (or about 28 minutes)! This price also depends on how many blocks accept the current gas price, which is now only about 60% of them, so you might need to pay more. ("Gas" is a term used in Ethereum that refers to the computational resources an action requires to calculate an appropriate fee.) While writing temporary data as a transaction that can then be used by attackers as a communication channel may be initially many times cheaper, that number will multiply as the number of implants in a botnet increases. From an attacker perspective, there are also other issues to consider besides the cost of communication: Ehterum Virtual Machine Code (EVMC) will be publicly available on the blockchain (as well as any transaction data), which means others can easily decompile it. And attackers also need to include Ether tokens on the implants, which means that if someone compromises one of them, the attackers lose all of their money.
Because the economic cost of disrupting a centralized botnet is very low from the defender’s perspective, as opposed to the cost to an attacker of developing and deploying a new botnet, cybercriminals have two options. The first is to lower the cost of developing botnets so they will not be penalized by continuous takedowns (as long as those botnets make a profit between subsequent takedowns). The other is to invest more money upfront in developing a more robust botnet (with which will last longer and guarantee better profitability). Although the first option may seem easier, and therefore more likely, one needs to consider the amount of specialization that exists in the darknet market, which means it is highly likely that some group has already begun developing a de-centralized botnet as a service. In the long run, that approach makes more sense logistically and economically, which is why we expect to see criminals use even more automated and de-centralized technologies in massive botnet-based campaigns in the future.
Conversely, while the usage of blockchains for C2 and other services may hold many advantages for an attacker, due to its transparency and cost, we don't see criminals widely adopting it for commodity ransomware or generic malware. However, it remains a potential option for high-value targeted attacks performed by well-funded groups. For example, a criminal group that conducts ransomware campaigns (paid in bitcoins or similar cryptocurrency) or that distributes cryptomining malware might be willing to spend part of its crypto profits on their implants to run smart contracts.
What is certain is that we have to keep our minds open as to what is coming next. Attackers have always found creative ways to proliferate and will continue to do so in the future. But with careful tracking and analysis, and by understanding the underlying economic models cyber attackers rely on, we can continue to make educated predictions about the directions they are headed. And by doing so, we can proactively defend ourselves and our increasingly interconnected digital world from their criminal plans.