Here we BotenaGo Again!

Researchers discover highly productive IOT device botnet, known as BotenaGo, source code on Github. This effectively puts the power of BotenaGo into the hands of any unscrupulous attacker.

Over the years, there are certain historic events that become part of Security Folk Law. I’m sure you’ll all recall WannaCry, NotPetya, Colonial Pipeline, and SolarWinds amongst many. And who could forget Mirai?

OK, it was 2016, so maybe a quick recap.

MIRAI

Mirai was malware that exploited vulnerabilities in millions of IOT devices, infecting them and turning them into bots, to be unwittingly used as part of extremely large botnets. Ultimately, the resulting botnets were famously used in massive DDoS attacks. In one case, the Mirai Botnet took down a key DNS service provider, Dyn, causing outages across many popular internet sites and services.

Mirai wasn’t really an exploit or a hack. It was more a case of accessing publicly exposed IOT devices with inherently weak security controls, including fixed usernames and known passwords. Given the inherent insecurities traditionally built into many IOT devices, and the insane number of them out there, Mirai gave botnets a scale that had never been seen before

One of the twists to this story is that the authors were co-founders of a DDoS mitigation solution, and so you could think of MIRAI as a key part of their business growth strategy. Another twist was that they released the code to public forums, and later to Github, in an attempt to cover their tracks. They figured they’d be safe, since they wouldn’t be the only ones to have the code on their machines. However, this widespread availability was key to the botnet’s overall impact, as the code was adapted to build multiple variants that targeted various architectures.

Here we go again

History has a habit of repeating itself, so step forward six years, and here we go again. In November 2021, AT&T Alien Labs™ first published research on their discovery and named the malware “BotenaGo”, with subtle nod to it being written in Golang (Go). Threatpost brings us up to date in their latest article on BotenaGo

Here’s what we know about BotenaGo so far:

• It’s likely to affect millions of routers & IOT devices
• The code is now posted on Github
• The malware is very difficult to detect.
• One of the command and control (C2) indicators of compromise (IOCs) is from the Apache Log4Shell IOCs.

It’s likely to affect Millions of Routers & IOT Devices

Best practice tells us not to expose IOT devices to the internet. Yet, given the vast range of IOT functionality, in many cases they’ve been designed with the expectation that they’d eventually be exposed. We also know many IOT devices have been designed with no focus on security, and in some cases utilize fixed credentials, so there really should be additional security measures deployed to protect them. Add to that the fact that BotenaGo exploits routers, and much of BotenaGo’s concern is justified. You only have to run some simple searches on Shodan to find many thousands of devices that could be targeted, and that’s just one search term.

Figure 1 - Shodan Search \

The code is now on Github

Having the code publicly available is significant. Firstly, it means that threat actors can modify the code to target additional vectors, architectures, and more. Given the language it is written in (go) is suited to ease of compilation to different architectures, it’s highly likely derivatives will occur. Having access to IOT devices isn’t necessarily the endgame though: we should expect this to be a pivot point for targeting other assets on the network, expansion of other exploits and architectures, and payloads. Either way, history tells us there will likely be an uptick in DDoS activity.

Figure 02 - Code on Github

It’s difficult to detect

Initially, according to VirusTotal, only 3 out of 60 security vendors detected BotenaGo. Today that’s increased to 25 and no sandboxes.

Figure 03 - VirusTotal AVs
The use of Google’s Open-Source Golang language (GO) is also significant, as it allows for ease of compilation for different architectures, so we should expect to see many variants as a result.

Mitigation Advice

The recommended mitigation actions haven’t changed significantly from the MIRAI outbreak:

• Reduce your attack surface by minimizing IOT devices’ internet exposure.
• Ensure your devices are behind correctly configured firewalls.
• Install the latest firmware and software updates.

Sage advice, for sure. However, the fact that we are seeing history repeating itself really highlights we are not addressing the problem as well as we could.

We rely on security controls, yet only 3 out of 60 of security vendors (and no sandboxes) have detected this malware.

And what about the payloads that will come from having the code on Github: will they be detected?

And how do we ensure firewalls are correctly configured?

So many questions!

How Can Keysight Help

When MIRAI first appeared back in 2016, breach and attack simulation hadn’t been defined. Now you can up your game. Deploying Keysight Threat Simulator enables you to continuously measure, manage, and improve your cybersecurity effectiveness. In short, Threat Simulator helps you address these issues and many more.

Recently, our Application Threat Intelligence Team (ATI) have developed a feature on Threat Simulator called Priority Risk Mitigation. This feature gives our customers access to the latest malware of concern seen in the wild in the last 24 hours, which you’ll not be surprised to hear contains BotenaGo samples.

How to know if you are vulnerable to the latest BotenaGo-based attacks

You are worried about yet another cyber threat. You hope you are protected, but you’ll have to wait 4 months for your next pen test engagement to be sure. That’s a long time for your network and devices to potentially be vulnerable.

Why wait? You can safely emulate a BotenaGo attack on your network right now. Just deploy a Threat Simulator agent on your network, emulate a vulnerable IOT device, and safely orchestrate an actual attack. Moreover, Threat Simulator will tell you if you were able to block the attack or not, as well as notifying you if your SIEM was alerted. Furthermore, if remediation is required, it will show you exactly how to fix the vulnerability for your specific security controls.

Figure 4 - PRM

How to know if you’re safe from lateral movement in the event of a successful attack

Lateral movement is a big concern. Having an IOT device compromised is one thing, but cybercriminals can cause more damage by pivoting their attack to more high-value assets, even in other network segments.

Threat Simulator enables you to be able to run full kill-chain scenarios and lateral movement with just a few mouse clicks. Deploying Threat Simulator agents in all your network segments means you can continuously run those scenarios as often as you want. And because we only target our agents, there is no risk to your high-value assets.

Figure 05 - Lateral Movement

How to ensure you’ll be able to detect new variants of BotenaGo

With so many malware variants appearing (especially in this case), coupled with a very low detection rate, you’ll want to be sure you can detect any variants of BotenaGo. But how do you get the latest malware, run it through your network, and do all of that without accidentally detonating it?

LaunchPad

Threat Simulator has a feature we call Priority Risk Mitigation. This means we automatically notify you with the most prevalent malware we’ve seen in the previous 24 hours. You can then schedule assessments to test your defenses against these attacks on a daily basis. And in case you don’t detect something, we’ll flag that up to you so you can take immediate action. Of course, it’s totally safe for your network and security tools. Although it is real malware (it would have to be to allow detection) we only target our agents, and we don’t detonate it, so you are safe.

Figure 07 - PRM

Don’t go it alone

Keysight has played a leading role in security for 20 years, and Threat Simulator isn’t the only way we can help you.

Concerned about IOT security? Take a look at our IOT Security Assessment Solution

Want to test your DDoS mitigation solution? Take a look at our BreakingPoint Cloud Solution

Want to reduce your attack Surface? Take a look at ThreatARMOR

limit
3