Bondnet Botnet

A new botnet has emerged with 15,000 infected Windows hosts taking advantage of an array of weak security practices. The botnet is currently used for cryptocurrency mining, making the attacker over $1000 per day.

Threat ID:: CC-1404
Category:: Spyware, Trojan, Botnet
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 10 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Windows

Threat details

The Bondnet botnet targets Windows based servers. The current aim is running mining software for a number of cryptocurrencies with a much smaller user base which suggests the botnet is being purposely kept small.

The attacks take advantage of a range of publically available vulnerabilities including phpMyAdmin, JBoss, MSSQL servers and other common services. A RAT (Remote Access Trojan) is then pushed to compromised devices and on initial infection, enables the operating system (OS) guest account and reset the password, allowing connections via various remote access protocols such as RDP (Remote Desktop Protocol). Once the malware has access to the guest account, further system information including system name, guest username, OS version and more to a remote server.

The infrastructure of the botnet is almost entirely made up of compromised servers being used as nodes within the botnet as well as C2 (Command and Control) servers, file servers, attack servers and scanning server with the role being decided by the C2 server on initial infection. The botnet has been observed dropping clients as regularly as it enrols new clients. This is another indicator that the botnet is being kept to a relatively small size.

Threat updates

Date	Update
23 Feb 2018	Bondnet now has the ability to mine cryptocurrency. A new version, known as Bond007.01, has been observed mining both Monero and Bitcoin.

Remediation steps

Type	Step
	Ensure all IOC’s are monitored for by intrusion detection systems to enable swift mitigation in the event of a detection. Ensure regular penetration tests are performed to allow vulnerable services that are available to remote attackers to be flagged and subsequently patched or removed from service. As part of penetration testing, ensure scans of the company address spaces are performed to identify undocumented servers that have been made available to the internet as these unknown/forgotten entities are often the reason for breaches due to their absence from patching schedules.

Type

Step

Ensure all IOC’s are monitored for by intrusion detection systems to enable swift mitigation in the event of a detection.
Ensure regular penetration tests are performed to allow vulnerable services that are available to remote attackers to be flagged and subsequently patched or removed from service.
As part of penetration testing, ensure scans of the company address spaces are performed to identify undocumented servers that have been made available to the internet as these unknown/forgotten entities are often the reason for breaches due to their absence from patching schedules.

Last edited: 17 February 2020 11:27 am