More than 1.6 million devices, mostly in China, have been infected by a recently discovered botnet named “Pink”, according to security experts. The botnet’s purpose is to perform distributed denial of service attacks and inject advertisements into HTTP websites accessed by users.
As per what has been revealed in a blog post from NetLab 360, the Pink botnet uses Peer-to-peer networks, and central command-and-and-control (C2) servers to operate, and targets mostly MIPS-based fiber routers. The botnet also encrypts the transmission channels to protect the targeted devices from being taken over.
A protocol called DNS-Over-HTTPS (DoH) has been found to be used by Pink to connect to a controller specified in a configuration file delivered either via GitHub or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples. DoH is used to perform remote Domain Name System resolution via the HTTPS protocol.
Researchers have also found that the Pink botnet has tried to retain control over the infected devices by keeping an eye on the vendor’s repeated attempts to fix the problem in real-time, and has made multiple firmware updates on the fiber routers correspondingly.
Another report by Beijing-based cybersecurity company NSFOCUS reveals that more than 96% of the zombie nodes in the “super-large-scale bot network” were located in China. The threat actor exploited zero-day vulnerabilities in network gateway devices to break into the devices and install malicious programs that turned them into zombie machines.
Fortunately, as of July 2020, most of the infected devices have been fixed and returned to their normal operation. However, as per the information that is available, the botnet is still operational and consists of around 100,000 nodes.
With approximately 100 DDoS attacks conducted by the botnet to date, Pink is presently the biggest botnet ever detected, however, it won’t be the last, researchers are warning. These revelations are yet another example of how botnets may provide a formidable infrastructure for malicious actors to undertake various intrusion attempts.
Leave a Comment