Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
9/14/2017
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

The Hunt for IoT: The Rise of Thingbots

Across all of our research, every indication is that today's "thingbots" - botnets built exclusively from Internet of Things devices - will become the infrastructure for a future Darknet.

Justin Shattuck also contributed to this article.

Image Source: F5
Image Source: F5

The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the cyber weapon delivery system of choice by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?

Across all of our research, every indication is that today’s botnets, or "thingbots" (built exclusively from IoT devices) will become the infrastructure for a future Darknet.

In our third semi-annual report on this topic, we continue to track Telnet attack activity and, through a series of global maps showing infected systems, we track the progression of Mirai, as well as a new thingbot called Persirai. We also include a list of the administrative credentials attackers most frequently use when launching brute force attacks against IoT devices.

Mirai systems in Europe - June 2017 (Source: F5)
Mirai systems in Europe June 2017 (Source: F5)

Here are the key findings based on analysis of data collected between January 1 through June 30, 2017:

  • Telnet attack activity grew 280% from the previous period, which included massive growth due largely to the Mirai malware and subsequent attacks.
  • The level of attacking activity at the time of publishing doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it is likely these thingbots are just ready and waiting to unleash their next round of attacks.
  • 93% of this period’s attacks occurred in January and February while activity significantly declined in March through June. This could mean that the attacker “recon” phase has ended and that the “build only” phase has begun. Or, it could just be that attackers were momentarily distracted (enticed) by the Shadow Brokers’ release of EternalBlue.
  • The top attacking country in this reporting period was Spain, launching 83% of all attacks, while activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume. (Has China cleaned up compromised IoT systems?)
  • The top 10 attacking IP addresses all came from one hosting provider network in Spain: SoloGigabit. SoloGigabit was also the source of all attacks coming from Spain in this period. Given that SoloGigabit is a hosting provider with a "bullet proof" reputation, we assume this was direct threat actor traffic rather than compromised IoT devices being forced by their thingbot master to attack.
  • The top 50 attacking IP addresses resolve to ISP/telecom companies and hosting providers. While there were more ISPs and telecom IP addresses on the top 50 list, when looking at volume of attacks by industry, the overwhelming number came from hosting providers.
  • Although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks and to host banking trojan infrastructure. IoT devices have also been subject to hacktivism attacks, and are the target of nation-state cyber warfare attacks.
  • As we see in this report with Persirai, attackers are now building thingbots based on specific disclosed vulnerabilities rather than having to launch a large recon scan followed by brute forcing credentials.

From a manufacturing and security perspective, the state of IoT devices hasn’t changed, nor did we expect it to. In the short term, IoT devices will continue to be one of the most highly exploitable tools in attackers’ cyber arsenals. We will continue to see massive thingbots being built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers who simply refuse to purchase vulnerable devices.

In the meantime, responsible organizations can do their best to protect themselves by having a DDoS strategy in place, ensuring redundancy for critical services, implementing credential stuffing solutions, and continually educating employees about the potential dangers of IoT devices and how to use them safely.

Gartner estimates 63% of in-use IoT devices in 2017 are consumer products, the “audience” that’s least capable of doing something about a device’s inherent vulnerabilities. Even with proper instruction, most devices weren’t designed to accept admin credential changes, so a responsible owner of a home-use IoT device couldn’t do the right thing even if they knew how. Nevertheless, this IoT problem needs proper attention, and most certainly will not be solved in the short term. Product fixes and recalls can be extremely costly for IoT manufacturers and developers, and global legislation would require coordinated efforts on a scale the world has never seen. So, now is the time to act on behalf of your business before another Death Star-sized attack is launched. Our recommendations are:

  • Have a DDoS strategy in place, whether it’s an on-premises, cloud-based, or hybrid solution.
  • Ensure critical services have redundancy. You aren’t always the direct target. Plan ahead for downstream impact if your service provider is attacked.
  • Purchase wisely; money talks! Don’t buy, deploy, or sell vulnerable IoT devices. They could become cyber weapons that turn around and attack businesses. Do your homework before you purchase. If you are conducting due diligence with your IoT manufacturers, use the checklist below when questioning their secure development practices.

Our full 'Rise of Thingbots IoT Threat Analysis' report is available here

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.