Microsoft’s Digital Crimes Unit (DCU) analysts have spotted and helped to shut down a massive botnet of 400,000 compromised devices controlled with the help of an LED light control console. The botnet was discovered when the team uncovered an unusual spike of botnet signals that had increased 100 times within one month.
The botnet was used by the cyber criminals for a wide variety of activities, including distribution of malware, phishing emails, ransomware, and DDoS attacks.
“The DCU team delved deeper by mapping more than 400,000 publicly available IPs and narrowed that information down to 90 suspicious IPs. An open data search of those 90 IPs further refined the analysis and revealed something alarming: One particular IP was associated with dozens of activities related to the distribution of malware, phishing emails, ransomware, and DDoS attacks,” Microsoft said.
“To the team’s surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week.”
The researchers notified Taiwan’s Ministry of Justice Investigation Bureau (MJIB) of their findings, and, using this intelligence info the MJIB agents were able to track down the illegal VPN IP that was behind the malware attacks initiated "from inside an office building in rural northern Taiwan."
Typically, threat actors use compromised computers to launch cyberattacks, but in this case “the source was identified as a LED light control console, a seemingly insignificant IoT device.”
The MJIB shut down the device used by the attackers as a botnet command-and-control server, thus stopping it from spreading out more malware.