Security researchers have discovered a significant increase in global botnet activity between December 2023 and the first week of January 2024, with spikes observed exceeding one million devices.
Writing in an advisory published on Friday, Netscout ASERT explained that, on a typical day, approximately 10,000 such devices engaged in malicious reconnaissance scanning last year, with a high watermark of 20,000 devices.
However, on December 8 2023, this number surged to 35,144 devices, signaling a notable departure from the norm.
According to the technical write-up, the situation escalated on December 20, with another spike reaching 43,194 distinct devices. Subsequent spikes, occurring in shorter intervals, culminated in a record-breaking surge on December 29, involving a staggering 143,957 devices, nearly ten times the usual levels.
Disturbingly, this heightened activity persisted, with high watermarks fluctuating between 50,000 and 100,000 devices.
As the new year unfolded, the scale of the threat became even more pronounced, with January 5 and 6 witnessing spikes exceeding one million distinct devices each day – 1,294,416 and 1,134,999, respectively. A subsequent spike of 192,916 on January 8 affirmed the sustained intensity of this cyber onslaught.
Read more on botnets: Zyxel Vulnerability Exploited by DDoS Botnets on Linux Systems
Further analysis revealed that this surge emanated from five key countries: the United States, China, Vietnam, Taiwan and Russia.
“Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads,” Netscout wrote. “These servers are used via trials, free accounts or low-cost accounts, which provide anonymity and minimal overhead to maintain.”
Adversaries utilizing these new botnets focused on scanning global internet ports, particularly ports 80, 443, 3389, 5060, 6881, 8000, 8080, 8081, 808 and 8888. Additionally, signs of potential email server exploits surfaced through increased scanning of ports 636, 993 and 6002.
“These consistently elevated levels indicate a new weaponization of the cloud against the global internet,” reads the advisory. “Powerful DDoS protection is a must-have for combatting these new botnet threats.”