Inside the hackers’ supermarket: Botnets for hire and DDoS-as-a-service

In this first in a series exploring the cybercrime tools for sale or hire on the Dark Web, we take a look at how easy it is to rent a botnet and launch a DDoS attack and the growing threat from botnets using compromised internet of things (IoT) devices.

By Andy McCue

Thu 20 Apr 2017 @ 16:12

When a distributed denial-of-service (DDoS) attack brought down huge parts of the internet last October it signalled something of a step-change in the cybersecurity arms race.

In that incident, the Mirai botnet was used to attack the domain name system (DNS) host Dyn, in turn crashing some of the web's biggest sites. The likes of Airbnb, Amazon, Netflix, Reddit, Spotify and Twitter all suffered outages as a result of the attack.

'Regular' botnets, hijacking the computing power of zombie networks of compromised PCs, have long been available for hire on the so-called Dark Web for those who know where to look. What was different with the Mirai botnet was that it harnessed the power of hacked Internet-of-Things (IoT) devices such as routers and webcams, the first time such a botnet exploited the weak security of the growing array of internet-connected devices to such devastating effect.

Welcome to cybercrime-as-a-service

Worryingly for businesses and cybersecurity staff, it is alarmingly easy to get access to a tool such as Mirai. Security researchers tracking forums on the Dark Web found a seller hawking it around for $7,500 for 100,000 bots, which could generate one terabit of traffic per second. The use of IoT devices in DDoS botnets that can be rented by attackers is particularly worrying because of the huge growth in these internet-connected devices.

Analyst Gartner predicts some 8.4 billion connected 'things' will be in use worldwide in 2017, a 31 per cent increase on the previous year. By 2020 that is forecast to be 20.4 billion internet-connected things.

The UK's National Cyber Security Centre (NCSC) and National Crime Agency claim Mirai was a pivotal, game-changing style of attack, highlighting the disproportionate impact individuals and groups can have relative to their technical skills because of such easy access to cybercrime tools such as DDoS botnets or ransomware.

In a joint report on the cyber threat to UK businesses the agencies warned: "The developer is less exposed to the risk of deploying the malware itself but will still generate income, while the user gains access to tools and techniques that they would not normally be able to develop or use. As such the cybercrime-as-a-service model will continue to expand in terms of users and the range of services offered, especially with the source code of some malware variants freely available."

The IoT botnet threat is, of course, in addition to the existing DDoS botnet underground cybercrime market. Experts at one security vendor composed a price list from searching the forums and found a botnet can be hired for as little as $60 per day, with sellers offering discounts for large orders.

This demonstrates how the economics of cybercrime are still clearly stacked in favour of the criminals. In its report, Arbor calculated that, while the average cost for a DDoS attack victim is $500 per minute, the cost for the criminal is just $66 per attack. It shows how there is no real barrier to running such potentially devastating DDoS attacks in terms of either technical skill or financial resources.

Fight back with common sense patching

What can businesses do to fight back? One of the simplest ways is patching and eliminating the low-level risks. Year-on-year, the most commonly exploited security vulnerabilities are well-known ones such as SQL injections that can be mitigated through patching. The use of IoT devices in botnets represents a new threat vector because of the inherently poor or often non-existent security in some of these internet-connected devices.

There is no single answer or silver security bullet, however. The combination of the variety and sophistication of today's advanced persistent threats (APTs) and a mature cybercrime economy and supply chain poses a real challenge to businesses.

In short it requires a comprehensive security information and event management (SIEM) approach that includes identifying target assets, maintaining visibility of those assets, continuous monitoring and behavioural profiling to detect deviations and anomalies.