Botnets continue to pose significant risks to businesses, organizations, and individuals. In this blog post, I will compare the data gathered from a honeypot set up in 2019 with my recent findings from 2023. This comparison will provide insights into how the botnet threat landscape has evolved over the past four years and offer recommendations on how to mitigate these threats. To better understand the context of this comparison, I recommend reading my previous blog post about the research conducted in 2019.
Comparison of Botnet Attack Sources: 2019 vs. 2023
Before we dive into the detailed analysis, let’s take a look at the geographical distribution of botnet attack sources in 2023, as illustrated in the table below:
In my 2019 research, we observed botnet attacks from a total of 565 unique IP addresses within six days. In my recent 2023 research, we observed attacks from a total of 2,282 unique IP addresses in the same time frame, demonstrating a significant increase in the number of attack sources.
In 2019, the top five countries with the highest number of attack sources were:
- United States – 91
- China – 87
- Brazil – 24
- India – 23
- Egypt – 22
In 2023, the top five countries with the highest number of attack sources were:
- China – 386
- United States – 393
- India – 127
- Russia – 84
- Netherlands – 84
It is clear that the threat landscape has evolved, with China now leading the list of attack sources, and a significant increase in the number of attacks originating from Russia and the Netherlands.
Analysis of Attack Techniques
In our 2019 research, we observed that the attackers mainly targeted Telnet and SSH services. Most of the attacks were automated and executed by bots, trying default username and password combinations. In 2023, the attack techniques remain similar, but we have observed an increase in attacks targeting IoT devices and other services.
In our 2019 research, the most common attack vectors were default usernames and passwords, social engineering (phishing) attacks, and zero-day vulnerabilities. In 2023, we continue to see these attack vectors, but there has been an increase in the use of ransomware, advanced persistent threats (APTs), and supply chain attacks.
In 2019, the most common targets for botnets were IoT devices, Windows-based systems, and web servers. In 2023, the focus has shifted towards cloud infrastructure, critical infrastructure, and healthcare systems, reflecting the changing priorities and targets of cybercriminals.
Recommendations for the Blue Team and End-Users
As the botnet threat landscape evolves, it is crucial to stay ahead of the curve and adapt security measures accordingly. Here are some recommendations for the blue team and end-users:
Blue Team:
Implement in-depth security hardening.
Stay up-to-date with the latest security training.
Obtain consultancy services such as penetration tests and load tests.
Schedule backups with intervals of at least 8 hours.
End-Users:
Use an antivirus that can keep itself updated.
Keep firewalls active as a precaution.
Use software and services from trusted and licensed organizations.
Participate in cybersecurity awareness training.
The botnet threat landscape has undoubtedly evolved over the past four years, with a significant increase in the number of attack sources and the continued use of automated attacks. By staying informed and implementing the recommended security measures, both blue teams and end-users can mitigate the risks posed by botnets and protect their systems and data.