The NETSCOUT ASERT team has unmatched visibility into the world’s internet traffic around the clock. This visibility resulted in the identification of massive spikes in distinct, potentially compromised devices via daily scans. These spikes indicate a rise in malicious botnets performing reconnaissance scanning.
On a normal day, these scans originate from around 10,000 devices, with 20,000 device high water marks. However, on December 8, 2023, ASERT observed increases, reaching 35,144 devices. After this spike, things returned to normal for a time. But December 20, 2023, brought another spike, this time reaching 43,194 distinct devices. Again, things returned to normal for a short time after this spike.
As December progressed, the time gaps between spikes continued to decrease. Just 8 days later, on December 28, ASERT observed another spike, this time to 31,458 devices. The very next day, on December 29, the biggest spike yet was seen, with levels reaching 143,957 distinct devices, nearly ten times normal levels. This massive spike is evidence of increased botnet scanning activity, especially since levels have remained high since this time, with the high water marks of normally 20,000 now settling in the level of 50,000 - 100,000.
The trend continued into the new year, with the largest spikes occurring on January 5 and 6, eclipsing one million distinct devices. The levels reached an unprecedented 1,294,416 on the 5th and 1,134,999 on the 6th. But the storm was not over yet, as we saw another spike of 192,916 on January 8 as well.
Where is This Activity Coming From?
This increased device activity has been isolated to five key countries: The United States, China, Vietnam, Taiwan, and Russia. Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain.
What Are Adversaries Doing?
These adversaries appear to be using these new botnets to scan the global internet. They are hitting key ports, likely to uncover vulnerabilities and attack lanes. These ports include:
• 80
• 443
• 3389
• 5060
• 6881
• 8000
• 8080
• 8081
• 808
• 8888
These are just examples of the most common scanned ports by attackers, as there are even more being hit.
There are also indications of potential email server exploits on the horizon, evidenced by an increase in the scanning of ports 636, 993, and 6002.
The Bottom Line
These consistently elevated levels indicate a new weaponization of the cloud against the global internet. The unprecedented growth of malicious botnets in the cloud confirms that a dangerous new wave of cybercrime is underway. This battle is just beginning and the adversary is performing reconnaissance to uncover areas to exploit. Powerful DDoS protection is a must-have for combatting these new botnet threats. NETSCOUT harnesses the most complete view of global internet traffic in the industry to discover and mitigate the latest DDoS attack vectors and methodologies.