Experts have warned malicious botnets are on the rise as researchers observe “massive spikes” in the activity of distinct, potentially compromised devices.
A report from the NETSCOUT ASERT team claims that at one point, a million devices were engaged in malicious reconnaissance scanning, a hundred times the usual levels.
Usually, around 10,000 devices are engaged in the scanning daily, with the 20,000 figure being the high water mark. However, in early December 2023, the number spiked to 35,144. Two weeks later, on December 20, the figure rose even further, to 43,194. On other days, things returned to normal. Nine days later, however, the researchers observed the biggest spike yet seen, hitting 143,957 distinct devices.
Ports and servers
“This massive spike is evidence of increased botnet scanning activity, especially since levels have remained high since this time, with the high water marks of normally 20,000 now settling in the level of 50,000 - 100,000,” the researchers said. The trend continued into the new year, with spikes on January 5 and 6 exceeding a million devices.
The surge came from just five countries, the researchers further explained: The United States, China, Vietnam, Taiwan, and Russia. Threat actors were mostly using cheap, or free, cloud and hosting servers, to create botnet launch pads. “These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain,” they explained.
The botnets are used to scan the global internet via specific ports, in search of possible vulnerabilities. The ports are:
• 80
• 443
• 3389
• 5060
• 6881
• 8000
• 8080
• 8081
• 808
• 8888
• and others.
Threat actors could also be hunting for potential email server exploits, as they were also seen scanning ports 636, 993, and 6002, the researchers concluded.
More from TechRadar Pro
- Stealthy new botnet targets VPN devices and routers while staying disguised
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
