Open source and botnets: we're not in Kansas anymore, Toto

Johannesburg, 24 Apr 2019
Read time 4min 20sec
Photo by Madeleine Ragsdale.
Photo by Madeleine Ragsdale.

When it comes to the global threat landscape, the second half of 2018 revealed the equivalent of cyber attacks on steroids.

NETSCOUT Threat Intelligence Report 2018 reported that attackers had bulked up existing tactics, rapidly evolving new performance enhancements, and applying smart business techniques to vastly accelerate the attack growth rate.

This is according to Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which is distributed in sub-Saharan Africa by Networks Unlimited Africa. Hamman goes on to say it was interesting to note that Internet of things (IOT) devices were attacked, on average, within five minutes of being plugged into the Internet.

"Also interesting to learn was that malware authors are not only building more advanced devices, but are applying lessons learnt from IOT botnet manipulation efforts to target new areas, like commodity Linux servers, using malware like Mirai," he says. "As a result, an ongoing battle is being waged to leverage insecure Linux-based IOT devices."

In a recently released blog article, Tom Bienkowski says, without question, open source software has been a boon to developers everywhere.

"Once viewed as a kind of anarchy in the commercial software world, its early proponents have long since been vindicated, as open source gained mainstream respectability on the strength of popular platforms like Linux, Apache and Firefox. Commercial developers have widely embraced open source components for their flexibility, cost savings and the support of the vast open source community.

"As with so many technology success stories, however, there's a dark side to open source as well. The core principle of open source is that it is made freely available to anyone for any purpose, in most cases, with wholly benign intentions. But, not always."

Hamman says by the end of 2017, around 27 billion IOT devices had been connected, and it is this rush to connect everything and unlock the power of collected data that has seen security become a bit of an afterthought.

"This means our IOT devices have become incredibly vulnerable and, naturally, cyber criminals are taking advantage," he says.

According to Bienkowski, hackers use automated, worm-like schemes to create malware that has been built around the open source Mirai code, which can quickly commandeer hundreds of devices into IOT botnets, using them to launch attacks both within and outside the hosting organisation.

He says leveraging and modifying open source malware is not new, nor is it limited to Mirai.

"One cited example is when the VPNFilter IOT malware (borrowed from the Black Energy malware, also attributed to Russian hackers) took things to a new level by infecting 500 000 routers across 54 countries in September last year," says Hamman. "The goal of the VPNFilter malware is not to simply use the compromised IOT device to launch a DDOS attack, but also to deploy multiple third stage operations after the initial infection.

"One of the ways it does this is by conducting a 'man-in-the-middle' attack by sniffing network data on a network connected to the infected device gathering credentials, supervisory control and data.

"The data is then encrypted and filtrated via a Tor network, which can also serve as a relay point to hide the origin of the attacks."

Bienkowski says as IOT devices continue to multiply, we should expect IOT botnets to flourish, becoming weaponised and spreading like a gruesome mould. Ultimately, they'll be used not only by our run of the mill hacktivists, but also by well-organised nation-state APT groups.

He advises the following:

1. At a minimum, it is critical for operators of IOT networks to establish policies and follow best practices around patches and updates to seal off the most basic device vulnerabilities.

2. Beyond that, security professionals need to have pervasive visibility into all corners of their networks and deploy multi-layered DDOS defences capable of detecting and thwarting both stealthy and brute-force attacks.

3. Teams should also have a global threat intelligence resource to better understand the IOT botnet phenomenon and recognise the characteristics of a campaign taking shape.

"We all remember the good old days when open source and Apple were seemingly safe, secure from almost all hacking attempts," says Hamman. "Back then, we didn't have billions of connected devices, nor were we exposed to as many smart, adaptable and evolutionary hackers. As with most things security related, vigilance, a constant monitoring of our own adaptability and agility, and a steadfast approach to defending our systems are essential to protecting against the growing IOT botnet threat."

For more information about NETSCOUT Arbor in Africa, please contact Bryan Hamman at


NETSCOUT Arbor, the security division of NETSCOUT, helps secure the world's largest enterprise and service provider networks from DDOS attacks and advanced threats. NETSCOUT Arbor is the world's leading provider of DDOS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. NETSCOUT Arbor's advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. NETSCOUT Arbor also delivers market-leading analytics for dynamic incident response, historical analysis, visualisation and forensics. NETSCOUT Arbor strives to be a "force multiplier", making network and security teams the experts. NETSCOUT Arbor's goal is to provide a richer picture into networks and more security context so customers can solve problems faster and reduce the risks to their business.

To learn more about NETSCOUT Arbor products and services, please follow the company on Twitter @ArborNetworks. Arbor's research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.

Editorial contacts
icomm Vivienne Fouche (+27) 082 602 1635
Networks Unlimited Shonisani Mudau (+27) 011 202 8400