While phishing attacks and unpatched vulnerabilities account for a large percentage of cyberattacks, they are not an organization’s only cyber risk. Distributed Denial of Service (DDoS) attacks are a type of attack that is increasingly common. Instead of requiring an attacker to identify and exploit a vulnerability in an application, a DDoS attack takes advantage of the fact that every system has a finite amount of data or number of connections that it can handle at any given time.
A DDoS attacker uses a large number of Internet-connected devices under their control (a botnet) to generate the traffic volume necessary to achieve the desired impact to the target, whether degrading or completely destroying its ability to handle legitimate traffic.
Cybercriminals build these botnets in a variety of ways. While some botnet herders use cloud-based botnets, traditionally botnets are made up of compromised Internet of Things (IoT) devices. The Dark Nexus botnet is an example of a rapidly evolving IoT botnet. Between December 2019 and March 2020, roughly 40 versions of the botnet code have been released. This rapid evolution enables the botnet to take advantage of new vulnerabilities and deploy new DDoS attack techniques.
Dark Nexus Compromises a Range of Devices
Botnets spread by different means. Some of them take advantage of weak security configurations in a target device. For example, botnets such as Mirai used weak default credentials to log into devices over the Telnet protocol. This is made possible by the fact that many manufacturers use the same credentials for every device that they produce, and these credentials are leaked on the Internet. In some cases, these credentials are hardcoded into devices, making them difficult or impossible for the users to change them. These choices are what made it possible for the Mirai botnet to compromise hundreds of thousands of IoT devices using a list of only 61 pairs of usernames and passwords.
Other botnets are built by taking advantage of publicly disclosed vulnerabilities in certain devices. Once a vulnerability has been discovered, it is either ethically disclosed to the manufacturer or publicly exploited, making it possible for the manufacturer to create and release a patch. However, few people consider the need to update their light bulbs, thermostats, routers, etc. As a result, these devices are left open to attack.
Dark Nexus combines both of these two techniques to compromise IoT devices. Its creator and maintainer has built custom modules for compromising a dozen different CPU architectures as well as including a credential list for a variety of IoT devices. This has enabled users of the Dark Nexus malware to exploit a wide range of devices.
Botnets Enable Large-Scale DDoS Attacks
The rise of the IoT has been a boon for botnet developers and DDoS attackers. In general, IoT devices have extremely poor security by default. This makes it easy for a cybercriminal to compromise a wide array of Internet-connected devices.
This collection of Internet-connected devices is all that is necessary to perform a DDoS attack. Instead of taking advantage of vulnerabilities in a web application, DDoS attacks degrade or destroy the application’s ability to handle legitimate requests by bombarding it with malicious traffic. While this might be possible with a single system, the use of many compromised devices, the “Distributed” in DDoS, can make it easier for an attacker to achieve the volume of traffic required for an effective attack and can make it more difficult to identify and block malicious traffic. This is due to the fact that it is much easier to identify and block a single machine sending massive amounts of traffic than many machines sending much smaller volumes.
Dark Nexus enables a botnet herder to launch a classic DDoS attack. However, it also offers the ability to perform a much stealthier one as well. In this stealthy version, attack traffic is disguised as legitimate-looking web traffic. By making it difficult to differentiate benign and malicious requests, the attacker may be able to force the target to either allow some malicious traffic through or to block some legitimate traffic by mistake. Both options achieve the desired goal of decreasing the availability of the service to legitimate users.
Protecting Against the Threat of Dark Nexus
The Dark Nexus malware enables an attacker to compromise a wide range of end user devices and create an extremely versatile botnet. This botnet can be used for a number of purposes, including performing stealthy DDoS attacks.
The ability to perform DDoS attacks that closely resemble legitimate traffic poses a serious threat to businesses’ cybersecurity. While a variety of different DDoS protection solutions exist, many of them rely upon the features of a traditional DDoS attack for identification of DDoS traffic. This newer type of DDoS attack, using seemingly legitimate HTTP requests to perform the attack, is difficult or impossible for many DDoS protection solutions to properly identify. As a result, these solutions are either ineffective at blocking attack traffic or block legitimate traffic during an attack.
In order to protect against increasingly sophisticated DDoS attacks, organizations must deploy more sophisticated DDoS mitigation solutions. Instead of relying on simple indicators of attack traffic, such as extremely large packet sizes or the use of DDoS amplifier services, advanced tools use machine learning to profile an application’s normal traffic and to properly identify and block malicious requests used as part of a more stealthy DDoS attack.
