Maher Jadallah, Senior Director Middle East & North Africa at Tenable
Botnets first gained widespread notoriety in the early 2000s and continue to be a common and disruptive source of trouble around the globe. Since the start of the COVID-19 pandemic, cybercriminals have stepped up their attacks against individuals and institutions alike, spurred on by increasing digitalisation, according to the Global Cybersecurity Outlook 2022 published by the World Economic Forum .
Proof of this unfortunate trend reared its head in May this year, when research by AT&T Alien Labs™ found that EnemyBot operators were exploiting recently identified vulnerabilities across content management system servers, Android and other IoT devices . What this means in plain English is that the gap between a vulnerability being discovered and it being exploited is shrinking.
EnemyBot was first discovered in March 2022 and is actually the sum of code taken from other disruptive botnets including Mirai, Qbot and Zbot. Some experts describe it as an updated version of Gafgyt_tor, as it leverages a number of botnet functions sourced from the Gafgyt codebase. What makes Enemybot a bigger concern is that its code can be easily found online, which makes it a do-it-yourself botnet for nefarious individuals to bend to their needs.
In today’s digital world, securing devices and networks has become challenging due to several issues. Coming back to EnemyBot, threat actors are actively developing this botnet, meaning the criticality of a vulnerability can change from one moment to the next.
Since this botnet is modified regularly to take advantage of new vulnerabilities, it is difficult to protect against; each time threat actors hear of a vulnerability and realise they stand to benefit from exploiting it, it’s a given that they will rapidly tweak the botnet to achieve their goals. In some cases, vulnerabilities don’t even have CVE numbers by the time they are exploited by EnemyBot or other such attacks.
Another unfortunate issue complicating the security landscape is that it is now easier to launch a cyberattack today than in years gone by. The result of this is cybercrime has become a thriving business across the globe with a supporting ecosystem .
Ultimately, the majority of cyberattacks come down to vulnerabilities that are left unchecked. Each day vulnerabilities are discovered and security advisories are issued, however this deluge of information makes it challenging for professionals to discern a real threat from one that is theoretical – an unlocked car with valuables inside only becomes a real threat if cybercriminals realise there are valuables sitting inside the unlocked car.
Effective Security Basics
While the threat landscape is more potent than ever before, organisations can take simple but effective steps to protect themselves, starting with minimising their attack surface area.
Organisations must kick this process off by maintaining up-to-date asset inventory that showcases everything they have, so vulnerabilities relating to specific assets can be addressed before they are exploited. This time consuming process is the cornerstone of any fully-fledged security program, as it can provide an organisation with critical insights that they can act on.
An up-to-date inventory of assets means an organisation must identify all assets (known and previously unknown) in its environment, which includes software and firmware versions, each asset’s patch levels and communication/connectivity paths. While network monitoring will provide a reasonable level of detail here, it is critical organisations perform active and device/system-specific querying to paint an accurate picture of an asset and its vulnerabilities.
Once an organisation’s asset inventory is up-to-date, the focus should be to perform vulnerability assessments regularly, so vulnerabilities can be addressed before they can be exploited. It cannot be emphasised enough that it’s vital to stay up-to-date on the latest threats, especially those that impact frequently targeted solutions such as Microsoft, VMware and F5.
Threat actors are acutely aware that the easiest way to take advantage of an organisation’s assets is to go after points of entry they are unaware of. This agility, as demonstrated by EnemyBot, means that organisations must become even more vigilant with their defenses. An organisation that makes the effort to fully catalogue its technology stack and supplements this with frequent threat assessments is far more secure than one that lacks these insights and preparedness. As threat actors step up their game, the onus is on organisations to respond with equal or greater vigor.