Security Intelligence
Loading table of contents...
Cybersecurity researchers have advised that the BadBox botnet has grown to 192,000 affected devices despite German authorities recently disrupting one of the botnet’s main command and control servers.
The BadBox botnet originally consisted of Android devices such as TVs, digital picture frames, and media streaming boxes built by no-name manufacturers located in China. Researchers are now warning that the botnet has appeared to expand to include devices manufactured by more trusted brands such as Hisense and Yandex.
It’s still unclear how exactly the BadBox malware is deployed to the affected devices. Researchers believe it’s likely via an insider threat, a supply chain attack on the device’s firmware during the manufacturing process, or manipulation of the device’s firmware shortly before it is purchased by the customer.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Once a customer connects a BadBox-infected device to the internet, it becomes a residential proxy that is rented out to other threat actors to facilitate malicious cyber activity. BadBox is also capable of installing additional malicious Android payloads which could enable the breach of other devices on the local network.
Currently, BadBox bots are primarily located in China, India, Russia, Belarus, Brazil and Ukraine. However, the number of countries affected is likely to increase if BadBox malware continues to find its way into more popular brands sold in Western nations.
Source: Bleeping Computer
Analysis
Internet of Things (IoT) devices, like TVs, webcams, digital picture frames, etc., provide a vast, low-risk, and high-reward opportunity for threat actors to build and maintain botnets. Most IoT devices have weak or default credentials, insecure configurations, or lack regular security updates. Their limited processing power and basic firmware often make them unable to support advanced security measures like antivirus or firewalls.
These inherent vulnerabilities and proliferation make them an attractive target for malicious activities, including DDoS attacks, cryptojacking, and cyber espionage. Addressing these risks requires stronger device security measures, user education, and improved IoT regulations.
Law enforcement agencies, particularly the U.S.’s Federal Bureau of Investigation (FBI), have recently spent a great deal of resources combatting botnets.
In September 2024, the FBI and cybersecurity researchers dismantled a massive China-linked botnet, dubbed ‘Raptor Train’. This botnet was used to support attacks on critical infrastructure, military, government, higher education, telecommunications, defense industrial base (DIB), and IT sector targets mainly in the U.S. and Taiwan. Raptor Train consisted of over 260,000 compromised small office/home office (SOHO) and consumer devices, such as routers, DVRs, and IP cameras which were susceptible to more than 20 different vulnerabilities.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including groups sponsored by China. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
While it’s difficult for the average user to detect if their newly purchased TV or digital picture frame has been infected with a botnet, there are some signs to look for. For example, a botnet-infected device will typically run hot to the touch and will operate slower due to the added processor usage. Additionally, internet speeds may be noticeably lower due to the infected device’s strain on the network’s total bandwidth.
Field Effect strongly encourages users to enable automatic updates for IoT devices to ensure they are running the latest firmware version. Additionally, users are reminded to make sure these devices are configured properly (e.g., restricting external access to management interfaces, disabling unnecessary services) and use strong passwords. Devices that have reached end-of-life status should be replaced as soon as possible.
