Networkforensic

BIMP-BotNet

BIMP-BotNet
It all started back in December 2021, when i discovered password attacks on mail systems. What I saw was 1 login attempt from 1 IP but with 3-5 diffrent ip's within 1-2 minutes in between. So this was / still is "low and slow" password attacks. And they continue to this day aginst anything with a open servise with a login promt exposed to the Internet, but with a "big love" for anything mail related.

We know for a fact that many danish companyes have allready been "hacked" by this network.



The name
BIMP-BotNet, which is an abbreviation for Bruteforce, IOT, Malware, Phishing botnet.

The hunt.
I have been writing a lot about the BIMP-BotNet over the years. I can recommend publications from SektorCERT

What is new
I belive that BIMP-BotNet is just a part of a large proxy network created by OT/IOT devices, that has been hacked. Often with an indication that a SSH keys overwrite, that give full access for a device quite easy. And quite often we see BusyBox systems with the Dropbear SSH server implementation being part of the proxy network.

BIMP-BotNet is just using that big botnet to do the attacking. We have monitored a hacked IOT network device "GR241AG Gateway Router" for some time now, and the infected device gave us 130GB of traffic pr week to look at. That is a lot of traffic... And a lot of the traffic is proxy ssh traffic from Vietnam.

From this giant proxy network we see a lot of attacking on many systems. We eaven foud infected devises from some "NATO special forces military units" being part of this networkk. We see C2 backend russian infrastructure IP's for unknown malware. And funny enough will the identifyed C2 IP's in the proxy network not show up as listed for any known bad stuff.

So the BIMP-BotNet is what we belive part of a giant APT proxy network running globally. We can say that 6.500+ IP's from the proxy network is running the BIMP-BotNet. So how big this proxy network actually is is hard to say.

And it is all based on OT/IOT devises on the internet and someone is running this netwok....

Prevention
- Do NOT leave any system with a BusyBox/Dropbear exposed to the internet
- Use 2FA on everything
- Do not expose logins pages of any kind to the Internet at all if you don't need it.
- Use GEO protection for exposed servises
- Use "point to point"
- Use inline IDS (IPS systems) Drop attack traffic
- Only allow SSH traffic on your network to trusted sources / destinations. DO NOT LEAVE IT OPEN TO ANY.
- Allways patch

IOC
With the IOC's here you will locate the BIMP-BotNet that is part of the Proxy network. And this is a god way to start look at the network it self if you want to dig deeper into this proxy network.

JA3
f17ca639ecdcaa65b4521c49e3515ef9

JA4
t12i860600_e18388e7f3a3_4446390ac224

IP-Block list with more then 6.500+ IP addresses for BIMP-BotNet attacks
Download

Suricata IDS Drop Rule
drop tls ![35.190.72.88] 1024: -> $HOME _ NET [25,80,443,465,993,2000,3306,4100,4433,5060,5555,8001,8008,8443,8543,8843,8888,9443,10443,50100,11111] (msg:”NF - BIMP botnet attacking. Password Attacks - JA3 match - 1”; ja3.hash; content:”f17ca639ecdcaa65b4521c49e3515ef9”; metadata:01072023; classtype:attempted-user; sid:7000001; rev:1;)

SNORT IDS Drop Rule
drop tcp $EXTERNAL_NET any -> $HOME_NET [25,465,993,8843] (msg:"NF - BIMP-BotNet Attacking - Password Attacks - 1"; ssl_state:client_hello; content:"|00 33 00 32 00 31 00 30 00|"; reference:url,networkforensic.dk; metadata:06122021; classtype:attempted-user; sid:7000002; rev:1;)


Happy Hunting...