Botnets in 2019: current dangers and harm to small and medium-sized businesses
They wrote about botnets on Habré many times, which is not surprising - this is really a significant threat that has not disappeared. In our article today, we will talk about which botnets are relevant in 2019 and what harm they can cause to business - not large corporations, but small and medium-sized companies.
Who is the threat directed at?
According to Securelist , financial organizations and services are of maximum interest to botnet developers. They account for more than 70% of all attacks. These are online banking services, online stores, various types of payment aggregators, etc.
Second place (here, only about 6% of all attacks) is occupied by social networks and large information sites, plus search engines and social mail services. Here, attackers try to capture as much of the user's personal data as possible for further attacks.
The third place with approximately 5% is occupied by resources offering various products and services, and these sites are not online stores. Hosting providers and some other organizations fall into this category. Attackers are primarily interested in the victim’s personal data.
Also, “botovods” directed their systems to various kinds of cryptocurrency services, including exchanges, wallets, etc.
It is clear that attackers are primarily interested in companies from rich countries, so services and sites based in the USA, Great Britain, Canada, Europe and China are being attacked.
How does a botnet harm business?
Botnet’s IP addresses may not be “sharpened” for carrying out any complex attacks, but act as a spam tool. And the more elements in the botnet, the higher the efficiency of this tool. If spam is sent from infected devices of a company, then its IP will automatically go to spam filters. And this means that after some time all e-mail sent by company employees from local PCs will be sent to spam from clients, partners, and other contacts. It is not so simple to rectify this situation, but it can cause significant harm (one can imagine how the agreement is broken due to the fact that important documents did not fall into the right hands on time).
DDoS from company IP addresses
Approximately the same as in the case above, only this time the botnet uses infected computers of the company to conduct DDoS attacks. In this case, the IPs seen in the “dark business” will be blacklisted by various providers and will be blocked. In the future, employees of the company whose PCs were affected will experience difficulties with access to certain resources - requests will be blocked at the level of providers of various scales.
In some cases, companies may turn off network access altogether if the attack was serious. And the lack of the Internet, even for several hours, is a serious problem for business.
Direct DDoS attack on a company
A large number of botnets are created for DDoS attacks. Their power is very high now, so the average botnet can completely “put” the services and sites of a regular company. And this is a very expensive pleasure. According to experts, such a direct one can cost a business in the amount of $ 20,000 to $ 100,000 per hour .
Even if the services of the attacked company continue to work, it is much slower than usual. This poses a direct and indirect loss. And even in the case of a weak DDoS attack, which did not affect the efficiency of the company, you may encounter "dirty logs" - when the analysis of the company's services is impossible due to the huge number of third-party IPs. Google Analytics in such cases becomes useless.
Theft of important information
The botnets that exist today are multifunctional and consist of a large number of modules. A botnet operator can turn a “sleeping” botnet into a corporate data thief (customer data, access to internal resources, access to a client bank, etc.). at the click of a finger. And this is a much more sensitive threat to business than spam or DDoS.
A botnet can steal data in many ways, including such a common one as keylogging. A keylogger can be “sharpened”, for example, for working with PayPal and activated only when a user tries to log into his account.
Proxies for attacks
A botnet can turn corporate machines into proxies that will serve as a “transit point” for attacks. And here everything is already much worse than in the case of spam or DDoS - if the attack was serious and caused harm to someone, the company may encounter close attention from law enforcement agencies.
If the botnet is active, then this may require significant computing resources. That is, corporate machines will be used by cybercriminals, with corresponding energy and processor time. If a company whose computers are infected works with resource-intensive costs, this can affect the efficiency of work processes. One example is mining. A botnet can be activated as a miner and then infected PCs will give a significant part of their coin mining power to attackers.
All this can ultimately affect the company's reputation, because an organization whose IP addresses are seen in “dark cases” will be a difficult situation. It may not be so simple to bring everything back to square one.
How to calculate losses?
It is better, of course, if there are no losses. But if there is a problem with the botnet, then you can calculate the current and future costs that are required to eliminate the problem using the algorithm below. We summarize all the costly items and get the total amount.
According to the Ponemon Institute, in difficult situations when the company stops working, the losses can be huge and amount to thousands of dollars per minute. In the case of large companies, this is hundreds of thousands. For small and medium-sized businesses, the total loss is not as large as that of corporations, but for the company itself, even a couple of thousand dollars can be an inadmissible luxury, if we talk about a small organization.
There are a lot of botnets, both small and large-scale, with millions of elements in their network. As an example, we can cite those of them that were most active in 2018 (and they have not gone anywhere today).
number of attacks committed by this botnet is more than 13% of the total unique attacks of 2018. The malware worked in 42 countries, the greatest interest of its creators was caused by financial services, social networks and large portals.
Almost the same active botnet as the previous one. With its help, 12.85% of the total number of unique attacks were committed. He worked in 65 countries, attacked financial and cryptocurrency services.
This botnet made 9.84% of the total number of unique attacks. He worked in 33 countries, attacked financial and cryptocurrency services.
Among successful botnets, SpyEye and Ramnit are also worth mentioning.
Standing apart is the giant Mirai botnet, which at one time caused damage to hundreds of millions of US dollars. A new version of the botnet is already active and working, gradually starting to infect new devices around the world .
How to protect yourself from a botnet?
In principle, protection methods are no different from those that are used to prevent any malware from infecting computers. This is, first of all, personal “IT hygiene”, that is, you need to be aware that clicking on links in e-mail messages, opening files sent by known and unknown contacts, clicking on banners like “your PC is infected and need to be treated ”- all this is fraught with infection of not only personal, but also corporate equipment.
The companies need to regularly conduct training for employees on the topic of information security with a demonstration of various cases. People should understand that following a link with funny cats that a personal contact sent can threaten business. The weakest link in the business information security chain is a person, not software or hardware.
But hardware and software protection should be. These are software antiviruses, firewalls or “iron” firewalls like ZyWALL ATP500 , which provide multi-level protection of Multi-Layer Protection. Such systems help block not only known but also unknown threats (zero-day threats), as well as prevent mid-level DDoS. Depending on the size of the enterprise network and its financial capabilities, you can use the Zyxel ATP200, ATP500 or ATP800 models.
In any company whose work depends heavily on computers and software, including cloud services, there should be a detailed information security strategy. And this is not just a piece of paper that hangs next to the evacuation plan. The development of the strategy means that the proposed measures should be tested "in the field", it is necessary to conduct trainings and workshops with employees. All this will not exclude, but will significantly reduce information threats that are dangerous for the company’s business.