December 7, 2021–the Google Threat Analysis Group (TAG) announced that it has identified and temporarily disrupted the Glupteba botnet responsible for infecting an estimated 1 million computers and IoT devices.
This temporary disruption seems to have slightly impacted the botnet’s operation, but currently, the network is still operational.
Many of us may hear about botnets in the news or our compliance meetings… but what is a botnet? Here, we will cover the topic briefly and discuss the implications of Google’s move against this particular threat actor.
What Is a Botnet?
When malicious software like malware infects a computer, it often does so without the user knowing. Instead of destabilizing the system or deleting files, the software burrows into the system and manipulates it over time so that a remote operator can use it for other nefarious means.
This kind of attack isn’t strange to us. The recent attack on the SolarWinds Orion software shows how Advanced Persistent Threats (APTs) can find their way into a given system for months or years, stealing data and accessing remote systems. However, in the case of a botnet, the software doesn’t hijack the system to steam information (or, at least, not necessarily so). Instead, the malware seeks to control the computer to be used in tandem with other infected computers as a large, distributed threat actor.
How does this bot network (botnet) work? Malware-infected computers, called “zombies,” are infected with malware that takes control of critical resources and sends data to a centralized operational server or set of servers or peer-to-peer (P2P) control structures, called a “bot herder.” The herder sends commands to the infected computers to drive what they do.
Since the controller manages hundreds of thousands, if not millions, of computers, that controller can accomplish impressive computational feats that aren’t normally within the range of a handful of devices. These purposes include:
- Sabotage: Botnets can be used to send overwhelming volumes of network traffic to servers in Distributed Denial-of-Service (DDoS) attacks that can shut down websites or other online services.
- Cryptocurrency Mining: Mining is a computationally-intensive process that miners use entire data centers to deploy. Hackers can install cryptocurrency mining tools on zombie computers and harness the collective processing power to mine currency.
- Rental and Sale of Botnet: More modern hacking groups have turned to models like Botnets-as-a-Service, where users can rent or buy access to botnets to steal information or launch their own attacks. These botnets can go for millions of dollars.
- Theft: While most botnet operators don’t destroy systems as they are infected, they can sit on these networks to steal financial information and, if possible, gain access to sensitive systems.
What’s important to note is that many devices can be infected. Windows machines, Mac devices, smartphones, IoT devices… each have potential vectors for infection. Additionally, these attacks can come from several different angles, including:
- Infected Attachments in Emails: This safety concern has been around almost as long as the Internet. Users who receive email attachments from unknown sources and then execute those attachments always run the risk of infection. Phishing attacks are almost always a threat and one of the primary attack vectors.
- Software Bundles: Many hackers will take well-known software and offer it, either legally or not, bundled with malware and other malicious programs. These honeypots may not signal any infection but will allow users to use whatever software they think they are getting, unknowingly placing their computer under remote control.
- Compromised Web Pages: Modern attacks through malicious websites are increasingly common. These websites can use malicious code to execute within a website browser, infecting a computer.
Once established in a device, these malware programs can propagate into connected devices and operate undetected.
What is the Glupteba Botnet?
According to Google, they had been tracing the operations of the Glupteba botnet for years before launching countermeasures. These included disabling associated Google accounts, taking down botnet servers, identifying the botnet’s alleged owner/operators, and filing lawsuits against them.
Russian in origin, the Glupteba botnet was unique in several ways, including the following demonstrated capabilities:
- Blockchain Failsafes: While there were central control servers in operation, Glupteba also had several failsafe command mechanisms embedded in the Bitcoin blockchain if those servers were ever to go offline.
- Sale of Google Accounts Through Don’t.farm: Instead of selling Google accounts directly, the Glupteba group would sell access to open account interfaces through a service called Don’t.farm. This allowed malicious users to access the accounts on a VM to launch ad campaigns without disclosing their location.
As of this writing, Google has announced that it has removed 1,183 Google accounts, 908 Google cloud projects, 870 Google Ad accounts and 63 million Google Docs associated with the botnet.
How Do Botnets Affect Compliance?
It goes without saying that botnets threaten organizations, especially those focusing on cybersecurity and compliance. Embedded malware is a huge problem, and the infection and continued control of a device will almost inevitably threaten the security of protected data. Furthermore, every framework has control requirements to protect data against malware attacks.
Beyond the immediate problems these botnets present, a larger issue is the continued presence of distributed control systems in these computers. As a malware attack continues unabated for years, and as sensitive systems become interconnected with a larger hacker network, the risk to other compliant systems increases.
Finally, modern infrastructure (often under the umbrella of industry-specific compliance regulations) is increasingly vulnerable to these attacks. Healthcare, for example, is under constant threat of attack due to the value of patient healthcare information and information systems. Furthermore, healthcare providers, particularly large hospitals, are increasingly turning to smart devices and IoT networks to power healthcare equipment, patient services and even simple logistical operations like maintenance.
Botnets call for organizations to maintain strict malware protections across their entire organization and IT system and buckle down on continuous monitoring and maintenance, vulnerability scanning, and extensive penetration testing.
Continuum GRC: Automating Security and Compliance
Organizations do not have to face down security threats on their own. Continuum GRC provides an automated platform to support streamlined, accurate and effective auditing tools that can reduce audits that can take weeks or months to complete to mere days.
By making audits and compliance assessments simpler, we can focus more concretely on supporting your security and assessment goals so that you can successfully address malware and botnet attacks in real-time.
Are You Ready to Streamline Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.