- Attacks on home networks seek to control not only traditional devices such as computers, but also mobile phones and Internet of Things (IoT) devices.
- Monero downloader; a network of cryptocurrency mining botnets, tops the list of botnets that are affecting the most in Latin America, followed by Necurs and Tempedreve.
By 2025, it is estimated that Latin America will reach 1.2 billion IoT connections, of which around 64% will be for consumers, including devices for smart homes, wearables and autonomous vehicles, among others. This growth explains why cybercrime is taking advantage of home networks to remotely control not only traditional devices like computers, but also mobile phones and Internet of Things (IoT) devices to carry out malicious activities. Therefore, it will be necessary to be prepared before the attacks occur.
Bright Ferfrog, Akamai’s director of industry strategist for Latin America, noted that home users represent a demographic that is often not as secure as a corporate environment. Attackers know this and are therefore looking for ways to monetize their ability to more easily infect home devices; they become part of a botnet massiveallowing attackers to mobilize these zombie devices to perform countless cybercriminal activities without the user’s knowledge, such as sending spam and launching DDoS attacks once morest organizations.
For botnets to be successful or for cybercriminals to rent their botnets, they need to infect as many devices as possible. There is data from attacks carried out in 2022 in which the number of devices used for a DDoS attack reached a volume of more than 1,800 different points of origin, something very worrying since until 2021 these figures did not exceed a few dozen or hundreds. A significant amount of attack traffic can be correlated to mobile malware and IoT botnets. Another way for attackers to obtain economic benefits by affecting home users is to use the computing resources of infected devices for cryptocurrency mining, the executive mentioned.
Bot traffic continues to rise steadily. According to the most recent research by the firm Statista on fraudulent traffic through malicious bots, it also exists at various levels of sophistication. Overall, 34.4% of malicious bots in 2021 were classified as simple, connecting from a single Internet Service Provider (ISP)-assigned IP address. However, a total of 25.9% of malicious bots operated at a sophisticated level, successfully mimicking human behavior and evading higher-level detection methods.
The three botnets that are affecting Latin America the most
According to the Akamai report: Attack Superhighway: An Analysis of Malicious DNS Trafficmalicious DNS traffic from home networks in Latin America from July 2022 to January 2023 highlighted that the main threats belong to botnets, which might explain how attackers are taking advantage of IoT devices for different purposes.
In said region, Monerodownloader, a cryptocurrency mining botnet, tops the list of active botnet groups with 42 million flagged queries, followed by Necurs (34 million) and Tempedreve (20 million). The high rate of cryptocurrency adoption in Latam, fueled by high inflation and remittances, might explain why botnets like Monerodownloader top the list. Without the knowledge of the user, cybercriminals might be using the resources of users’ devices for mining purposes and for their own financial gain.
Although very little is known regarding Monerodownloader, some of the tactics it performs include gathering information and connecting to C2 servers for the actual upload. Other similar Monero miners take advantage of vulnerabilities, masquerade as freeware to lure users into downloading the miner, and have the ability to move laterally through the network and infect other devices to earn as much revenue as possible.
For his part, Necurs it poses a serious risk to both home users and organizations due to its ability to deliver other malware payloads such as Dridex, Trickbot, and Locky, among others. One notable factor worth noting is that this botnet also sells access to infected computers to other groups as part of its botnet-for-hire offers. It is a modality that has been growing significantly in the Dark Web which is the sale of packaged and ready attack services (as-a-Service). Apart from distributing ransomware and banking Trojans, Necurs is also used to distribute various spam attacks such as dating scams, pharmaceutical scams, etc.
Tempedreve is a worm that spreads through infected USB drives and shared network folders and may appear as ‘temp.exe’. If a computer is compromised by this worm, it can add a new service that can be used by attackers to gather information, steal passwords, and take screen snapshots. In addition, the Tempedreve worm can corrupt installation packages with an .msi extension, PDF documents, and .exe files.
In order to prevent cybercrime from taking over home devices and turning them into a massive botnet, Akamai expert Helder Ferrão made the following recommendations:
Change passwords for all computing devices frequently and make them strong. If necessary, use a password management solution so that you can use different passwords for each network and application access.
Use secure remote access products, including two-factor authentication (MFA), to access private organization networks. They must be used on desktop or laptop computers, phones or tablets.
Set up a separate Wi-Fi network for IoT devices, known as a VLAN or virtual local area network.
Avoid suspicious files and websites as it may bring some kind of malware with it. Make updates to the operating system, programs and applications.
Multi-factor authentication (MFA), even if the malware manages to crack the passwords, a second step will be necessary to verify the user’s identity and the hacker will not be able to access the information they are looking for.
Lastly, Helder Ferrão highlighted that a superior anti-bot solution will allow good bot activity while blocking malicious activity and botnet attacks; It is important to mention that even good bots need to be managed. It also allows you to use specific techniques, such as slowing down good bots at times when the site has significant human traffic.
