When the ISP Becomes the Weakest Link in the Cyberattack Kill Chain

  • People are not always the weakest link
  • Trickbot was hit, but it’s operators are trying to make a comeback
  • ISP’s devices are oftentimes unwilling participants in massive botnet networks

Cybercriminals will use any advantage to reach their goal. Most of the time, they’ll take advantage of the weakest link in the cyberattack kill chain: the people. But sometimes, that weak link is formed by ISPs. The reason is a simple one. They don’t strengthen the hardware they deploy inside people’s homes, putting their own infrastructure in jeopardy.

The cyberattack kill chain is a series of linked events that starts with criminals looking for vulnerabilities and ends with a compromised device. People are usually the weakest link as they tend to open emails and attachments they shouldn’t, they visit compromises websites, and simply ignore the need to keep devices and software up to date.

But one way cybercriminals compromise networks is through vast botnets they design to seek and exploit existing vulnerabilities. Such exploits are often found in the numerous IoT devices in people’s homes and in the routers governing the networks in smart houses.

Trickbot is just one example of many

The operation that shut down the command and control centers of the infamous Trickbot botnet was touted as a great success, which is at least partly true. But the whole truth is that the Trickbot operators and the botnet itself are still active. It will take a while to bounce back, but it will happen. In fact, the first signs of its return are already here.

Bitdefender’s security researchers discovered updated communication mechanisms, a new C2 infrastructure that uses MikroTik routers and packed modules. While the botnets’ targets are fully fledged endpoints (PCs, laptops etc), the command and controls use IoT devices such as routers for servers.

ISPs already use MikroTik routers, so there’s a good chance that some deployed routers inside an ISP’s network might end up as a C2 server for Trickbot, and that should never be an option.

Protecting the network from the inside

It’s easy to think of ISPs as just that — an Internet service provider. But that definition no longer fully applies. The pandemic and the paradigm shift that displaced workers from offices to homes put the security burden on ISPs’ shoulders. Fortunately, solutions exist to let ISPs protect their network and businesses.

Bitdefender’s IoT Security Platform fits like a glove in this situation, as it can help ISPs secure their routers and network and offer security and peace of mind to their customers at the same time. Because the platform integrates with existing hardware and has a low footprint, deployment is much easier.

Having Trickbot C2 servers running on your routers is bad for any ISP. A security solution that runs in the background 24/7 without affecting performance makes cybercriminals’ lives much more difficult and the lives of customers much safer.