Skip to main content

BASHLITE Botnet

Originally observed in 2014, BASHLITE is a botnet that exploits vulnerabilities found in Linux-based systems and IoT devices to launch distributed denial-of-service attacks.

Threat ID:
CC-2557
Category:
Botnet
Threat Severity:
Low
Threat Vector:
Exploit
Published:
28 April 2021 5:11 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Originally observed in 2014, BASHLITE is a botnet that exploits vulnerabilities found in Linux-based systems and IoT devices to launch distributed denial-of-service attacks.

Affected platforms

The following platforms are known to be affected:

Versions: most popular distributions

Linux

The following platforms are also known to be affected:

Internet-of-Things (IoT) devices

Threat details

Introduction

BASHLITE, is a botnet that launches distributed denial-of-service (DDoS) attacks. Written in C and primarily infecting Linux systems, the botnet is made up of mostly Internet-of-Things (IoT) devices such as cameras, DVRs, and home routers. It has a history of evolving and exploiting new IoT vulnerabilities but also employs common botnet strategies like using Tor to cloak its activities.

BASHLITE is also known as:

  • Gafgyt
  • Gayfgt
  • Lizkebab
  • Qbot
  • Torlus
  • LizardStresser

Delivery & Activities

BASHLITE infects new devices in several ways, but the most common method is to leverage Metasploit modules or other exploits against vulnerable devices. Other attack vectors include scanning for open Telnet ports or performing brute force attacks on random IP addresses, using a built-in dictionary of common or default passwords and usernames. Any successful connections are sent to the command and control (C2) server.

Early BASHLITE variants used a single hardcoded IP address to connect to a C2 server, but new variants have been observed using Tor-based communications that allow them to change C2 servers as attacker-owned download servers are identified and blocked.

Communicating via Internet Relay Chat, the botnet generates different kinds of DDoS attacks like TCP flooding by abusing TCP packet flags, holding TCP connections open, and bombarding a specific TCP or UDP port with a string of junk characters. The latest variants include some Mirai-based modules and exploits, including HTTP flooding and UDP flooding.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Last edited: 29 April 2021 10:59 am