Largest Botnet Malware Highlights Need for Breach and Attack Simulation

There has been a significant increase in malicious attacks on company servers and networks this year. A report published by the Identify Theft Resource Center showed that data breaches reported in the United States from January to September 2021 have gone beyond the total number of reported breaches for the whole year of 2020. The increase has been pegged at 17 percent.

With three months left in 2021, the attacks have not slowed down. In fact, a recent incident reveals the extent of danger organizations face. Cybersecurity experts reported this month that the largest botnet that has been seen in the last six years has infected over 1.6 million different devices. The attack has been mostly concentrated in China. The ultimate goal of this particular botnet is to eventually mount distributed denial-of-service (DDoS) attacks. The secondary goal was to insert advertising into HTTP websites that will be visited by users.

The botnet, which was identified by the Qihoo 360 Netlab security team, was named “Pink” because many of the function names for the bot began with the word “pink.”

The Pink botnet is the kind of malicious code that can have potentially grave effects on an organization’s network. If left undetected it could wreak serious havoc on any business. The botnet and its potential for chaos highlight the fact that continuous monitoring of the system to ensure there are no vulnerabilities is extremely important.

This highlights the need for a security method like breach and attack simulation to help in mitigating the instances of a potential attack. A computer security testing method like BAS will simulate attacks on the system without compromising the integrity and security of the network. It will mimic the potential avenues of attack on the systems and use the same techniques used by malicious actors to attack networks.

The Pink botnet method

How does the Pink botnet potentially enter systems? Its main entry points of attack are primarily MIPS-based fiber routers. It uses a mix of third-party platforms like GitHub, P2P networks, and C2 servers to attempt to control the flow of communication. The nefarious part here is that it will also try to encrypt the transmission channels to thwart devices from being controlled.

An analysis was conducted after an unnamed vendor and the Computer Network Emergency Response Technical Team/Coordination Center or CNCERT/CC coordinated in detecting and fixing the botnet. The analysis showed that the botnet was quite devious.

Pink, in essence, would battle with the vendor in attempting to keep control of the infected devices. As the vendor attempts to solve the problem, the operator of the bot would know the actions taken by the vendor at the same time. The operator will then create various firmware updates on the infected routers. This method turns it into a race between vendors and the bot master – and for a situation like this, it would look like it is the bot master who has the upper hand.

The impact of Pink botnet

According to security companies, more than 96 percent of the zombie nodes were located within China. The botnet has been able to enter many devices and installed malicious programs that exploited zero-day vulnerabilities found on network gateway devices. While a large portion of infected equipment has been repaired, it is said that the Pink botnet still remains active and it is estimated that over 100,000 nodes are still infected. To date, over 100 DDoS attacks have been attributed to Pink and it shows how a botnet can be an extremely powerful tool in mounting cyber attacks on IT infrastructure.

The importance of BAS

The deployment of a botnet of Pink in the wild and how its own method of attack makes it hard to repair immediately highlights an age-old adage that can be applied to cybersecurity – prevention is always better than the cure.

A security method like Breach and Attack Simulation perfectly encapsulates this prevention-over-cure paradigm.

As mentioned above, BAS, as a security testing method, provides a continuous way of validating the security posture of any organization. By design, BAS will perform actions that will imitate the actual real threats that are found in the wild to ensure that the security controls within the organization are robust enough to catch and eliminate these actions. BAS uses the MITRE ATT&CK knowledgebase—a comprehensive compendium of all known cyberattack tactics and techniques being used by threat actors all over the world. Using this knowledge base means BAS will actually use the known actions of cybercriminals.

By implementing these controlled attack actions on the network, the cybersecurity team can determine any weaknesses present in the IT infrastructure, which they can then fix or repair depending on the severity of the weakness.

Cybersecurity teams benefit so much from implementing BAS because it is a more cost-effective and labor-efficient security solution. BAS actions are automated, which means there are fewer problems in terms of overhead costs. It can even be configured to run repeatedly or continuously, which ensures a level of security assessment that would be hard to do if it’s all done by humans. Automation also has another upside—less human intervention means the elimination of human error, which has been shown to be a major contributor to data breaches. In fact, a report showed that 90 percent of data breaches can be attributed to human mistakes and lapses.

Conclusion

The proliferation of cybersecurity attacks in the last year shows that cybercriminals are hard at work in trying to exploit organizations for their nefarious goals. The recently discovered Pink botnet that proliferated to hundreds of thousands of devices in China clearly illustrates this danger. While attacks and exploits are a very real problem, cybersecurity teams can mitigate, if not eliminate vulnerabilities within the organization by implementing strict security policies that are designed to prevent attacks before it happens. Breach and attack simulation is one of the most effective methods in ensuring that the organization’s security posture is strong and secure.