NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions, has shared intelligence released by its security research and analysis team – Arbor’s Security Engineering & Response Team (ASERT).
The Territory Manager for sub-Saharan Africa at NETSCOUT Arbor, Bryan Hamman, says, “Earlier this year, we released news of the trends we foresaw happening in 2019 and one of our predictions was that botnet attacks via the Internet of Things (IoT) devices are set to increase. As it turns out, we were spot on.”
Any embedded device that runs an operating system and has networking capabilities can be considered an IoT device, says Hamman.
“Most consumer IoT devices are vulnerable to hard code, default credential attacks and buffer overflows, which basically turn their linked device into a DDOS attacking machine – and one that is already conveniently connected to thousands of other devices on the same network.
“Our challenge comes in when patches are released in that they are rarely applied,” he says. “Consumers don’t think of security when they plug their IoT devices in or switch them on, and with nearly 27 billion connected devices in 2017 rising to an anticipated 125 billion by 2030, IoT devices are increasingly attractive to malware designers.”
The team at ASERT has released an “around the world in 120 days” report covering IoT exploits since December 2018, and the results were interesting to say the least, says Hamman.
“To effectively plot their ‘journey’,” he explains, “our team created a host of IoT honeypots, which are, basically, computers built with one purpose in mind and that is to mimic a likely target for attackers. Our ASERT team uses them to detect attacks and to gain information about how cybercriminals operate.
“In this case, telemetry from our honeypots showed that the number of exploit attempts originating from bots continues to increase. In fact, we witnessed a two-fold increase in the number of exploit attempts from December 2018 to January 2019 – a massive 218 percent increase with more and more botnets attempting to exploit IoT device vulnerabilities.”
An old foe evolves
The most common exploit, called CVE-2014-8361, dominated the list of IoT exploits to hit the ASERT honeypots over the two-month period. This exploit vector was publicly disclosed in April 2015, tracing back to several high profile IoT botnets like Satori and JenX, both of which can be traced back to an old ‘friend’ – Mirai – proving that the shelf life for an IoT-based exploit can last for years.
“In fact, when reviewing the payloads for these attacks, we found that most of the malware being delivered is a Mirai variant, again proving that you can teach an old dog new tricks.”
As Team ASERT stated in an article on “regifting exploits“, IoT devices will get patched, sooner or later, but not at the same rate nor priority we see when dealing with operating systems. This trend, also identified using Arbor honeypot data, shows us that the longevity and usefulness of IoT based vulnerabilities can last much longer, remaining very attractive to botnet authors.
“Due to the sheer number of IoT devices connected to the internet, finding vulnerable devices is easy and quick and it doesn’t take a significant amount of effort to create a large IoT botnet and create havoc, as we saw with the DDoS attacks conducted by Mirai in 2016,” says Hamman.
“As we roll in to 2019, ASERT research assures us that we will continue to see an uptick in the use of IoT based vulnerabilities with the ease of updating botnet source code like Mirai to take advantage of these vulnerabilities playing a significant role in this permeation.”
As vendors try and address these issues, so too will IoT botnet operators evolve their approach. So, as security practitioners, says Hamman, we must learn from these tactics and figure out how we can educate consumers in better defending their property.
“And, as always, it’s critical that IoT security be part of an organisation’s security program – with continual and vigilant patching, testing, monitoring, and incident response protocols,” he concludes.