Botnets are a crucial element in the malicious concoctions of cyber adversaries. Multiple threat actors are using those to their advantage.
What’s going on?
Various threat actors are on the lookout for exposed Environment (ENV) files that have been accidentally uploaded, and it is suspected that botnets are scanning these files for stored credentials. No, this is not a recent trend; attackers have been on it for the past 2-3 years. ENV files are used to store database logins, API tokens, and passwords, among other environment variables. Thus, it is imperative to store them in protected folders.
What does this imply?
With access to private API keys, threat actors can exploit the software. Over the past 3 years, 2,800 different IP addresses have been scanned for ENV files and over the past month, more than 1,100 active scanners have been discovered. Attackers download these files, extract sensitive data, and breach an organization’s backend infrastructure. The ultimate goal ranges from intellectual property theft to ransomware attacks, from stealing business secrets to installing crypto-mining malware.
Other notable botnet mentions
- The fairly new Moobot has been discovered to exploit a zero-day vulnerability associated with UNIX CCTV DVR.
- A spear-phishing campaign was unveiled this month that aimed to deliver the Bazar and Buer payloads via TrickBot. The campaign leveraged fake employment termination claims, among other compelling tactics.
- The Gitpaste-12 botnet has been discovered to abuse 12 known vulnerabilities. Moreover, the botnet can mine for Monero cryptocurrency and propagate across various machines.
Some statistics your way
- As per the Q3 Threat Landscape Report by Nuspire, a total of 1,519,869 botnet incidents were detected, with 18,093 infections per day.
- Moreover, 46 unique botnets were discovered.
- Although Mirai fell down from the top 5 botnets in Q3, Andromeda and H-Worm have made their way to the top 5.
The bottom line
The botnet landscape is steadily evolving, with cybercriminals finding a new use for them on a regular basis. Botnet activity is dynamic and thus, there is no one-time solution for it. Hence, security teams are recommended to generate better defenses to stay ahead of this pernicious threat.