Zachary Amos, Features Editor of ReHack Magazine tackles botnet attacks in this insight on cybersecurity, with recommendations on how to respond
While the Internet of Things (IoT) network of devices makes lives easier through automation and monitoring, it also leaves information vulnerable to attack.
A botnet attack infects many devices with malware, connects them to a server that the bot herder uses to control them, and attacks by accessing accounts, sending spam and more. Understanding recent attacks, how they spread and their tactics is key to knowing how to respond.
Recent IoT botnet attacks
Several recent botnet attacks have made headlines for their level of disruption.
- Mirai: Mirai performs large DDoS attacks and typically infects routers and cameras. Mirai has caused widespread outages affecting millions
- Muhstik: Muhstick is a variant of Mirai. It has adapted to include crypto jacking in its line of attacks
- EternalBot: EternalBot steals data by launching DDoS and cryptojacking attacks. It’s advanced and hard to detect, making it particularly dangerous
- Gh0st RAT: Gh0st RAT is a remote access trojan (RAT). Signs of a RAT infection include unfamiliar files or programs, website redirects or unresponsiveness, and unauthorised webcam use. Gh0st RAT is often used to attack organisations, making it standard for cyber espionage
- DarkNexus: DarkNexus has launched multiple large-scale attacks, most of which target online retailers and gaming servers. Its ability to adapt to security measures makes it a significant threat
- Gafgyt: Gafgyt is similar to Mirai. Bot herders often use it for cryptojacking and DDoS attacks
How IoT botnets spread
Studies have shown that 70% of IoT devices are vulnerable to attack. Bot herders take over these machines and gather them together as a botnet. There are three primary phases to botnet spread.
Firstly, bot herders search for vulnerabilities in an internet user’s behaviour. The vulnerability could be in an application, software or website — anywhere the attacker sees an opportunity to take over by infecting a device.
Secondly, the device is infected. The bot herder now controls it and can launch the attack. Passive attacks happen without any action on the part of the human user, and active attacks occur after someone has performed an action, like downloading an attachment or clicking a link.
Lastly, the attacker ensures they can control the botnet via the command-and-control server (C&C). The C&C server allows the attack to remotely manage the infected devices that make up the botnet.
Types of IoT botnet attacks
There are several types of botnet attacks.
- Account takeover: the botnet usually performs this attack via brute force by testing login credentials until it finds the right one, allowing it to access and take over an account. This means a botnet can gain sensitive data
- Distributed denial of service (DDoS): zombie devices overwhelm their target server with requests or excessive traffic, causing it to crash or slow down. DDoS attacks are common and can be long-lasting. They often take down websites or online services
- Spam and phishing: these techniques grow the botnet by allowing it to infect more devices. The botnet takes on the persona of individuals or organisations the victim trusts and then sends emails to get sensitive data — like login credentials — which usually leads to account takeover
- Deepfakes: today, botnets use counterfeit audio and video to impersonate individuals. These advanced attacks are expected to escalate in 2025, particularly on social media
- Device bricking: this attack aims to make a device useless. The botnet infects it with malware, deleting critical files or corrupting software. Once a machine is no longer functional, hackers often delete all evidence of infection
- Cryptojacking: this attack has grown as cryptocurrency becomes more popular. After zombifying devices, the bot herder uses the machines’ resources to mine cryptocurrency, giving the attacker free money while harming the health of the zombified devices and network
How to respond to IoT botnet spread
Many sophisticated botnets are rapidly learning how to circumvent security measures. Prevention is key to keeping systems safe from attack. Here are some key methods.
- Education: educating individuals or employees on botnet attacks and defensive tactics is critical since phishing is often carried out via human error. Botnets can amass thousands of bots to send massive amounts of emails. The National Cyber Security Centre is getting the word out about a botnet consisting of over 260,000 compromised devices worldwide
- Safe device onboarding: any new device should be evaluated before connecting to a network. Organisations should create security standards to ensure security
- Traffic monitoring: monitoring tools can look at network traffic and spot odd patterns. Catching threats before they become full attacks is critical for preventing botnet spread
- Advanced cybersecurity tools: cybersecurity solutions that provide network segmentation, intrusion alerts and DDoS security can prevent advanced attacks
- Regular software updates: applications, software and operating systems should be updated whenever updates are available. Regularly updating can limit vulnerabilities
- Strong login credentials: regularly changing login credentials and using strong, unique passwords can ward off botnet attacks. Multifactor authentication is a great tool for strengthening security
- Access management: limiting access to an organisation’s devices makes a system less open to attack. Ensuring only essential personnel can use vital systems and regularly monitoring them can prevent botnet attacks
Understanding reactionary measures helps victims respond to botnet attacks quickly.
Individuals or organisations should regain control quickly by identifying and recovering corrupted devices. Disabling access to the central server will cut off the botnet’s control and mitigate the damage.
The victim can use cybersecurity tools to scan for malware infection. Sometimes, reinstalling software can weaken or eliminate the threat. Full factory resets can help address persistent issues.
Protecting against IoT botnet spread
As botnets become increasingly advanced, it is essential to decrease vulnerabilities whenever possible. Individuals and businesses can benefit from being aware of how botnet spread works and how to respond to it. Protecting against attacks requires vigilance, but preventive measures lead to greater security for everyone.
Zac Amos is a freelance tech writer who specialises in IoT, cybersecurity, and automation. He is also the Features Editor at ReHack Magazine. Follow him on LinkedIn.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.