Researchers discover sharp increase in global botnet activity


Security researchers discovered a significant increase in global botnet activity between December 2023 and the first week of January 2024, with observed peaks exceeding one million devices.

In an advisory published Friday, Netscout ASERT explained that on a typical day, approximately 10,000 such devices performed malicious reconnaissance scans last year, with a high watermark of 20,000 devices.

However, on December 8, 2023, this number jumped to 35,144 devices, signaling a notable deviation from the norm.

According to the technical report, the situation worsened on December 20, with a new peak reaching 43,194 distinct devices. Subsequent peaks, occurring at shorter intervals, culminated in a record increase on December 29, involving a staggering 143,957 devices, almost ten times usual levels.

Worryingly, this increased activity has persisted, with high watermarks hovering between 50,000 and 100,000 devices.

As the new year progressed, the scale of the threat became even more pronounced, with January 5 and 6 seeing peaks exceeding one million distinct devices each day – 1,294,416 and 1,134,999, respectively. A subsequent peak of 192,916 on January 8 confirmed the sustained intensity of this cyberattack.

Learn more about botnets: Zyxel Vulnerability Exploited by DDoS Botnets on Linux Systems

Further analysis revealed that this push came from five key countries: the United States, China, Vietnam, Taiwan and Russia.

“Analysis of the activity revealed an increase in the use of cheap or free cloud servers and hosting that attackers are using to create botnet launch pads,” Netscout wrote. “These servers are used through trials, free accounts, or low-cost accounts, which offer anonymity and minimal maintenance.”

Adversaries using these new botnets have focused on scanning global Internet ports, particularly ports 80, 443, 3389, 5060, 6881, 8000, 8080, 8081, 808, and 8888. Additionally, signs of exploits Mail server potentials emerged through increased scanning of ports 636, 993, and 6002.

“These persistently high levels indicate a further weaponization of the cloud against the global Internet,” the advisory reads. “Powerful Protection against DDoS attacks is essential to combat these new botnet threats.

Leave a comment