Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

10/24/2017
04:00 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

A New BotNet Is Growing: Are You Already Part of Its Army?

The IoT_Reaper botnet is new and growing. Are your IoT devices already part of a criminal system that will cripple the Internet?

Botnets. The name sounds evil and the reality can be worse -- just ask Dyn, Brian Krebs or any of the other victims of Mirai or other botnets.

Now there's a new botnet in town -- named IoT_Reaper by the researchers who found it -- that is building its resources and biding its time until the next shoe inevitably drops.

This new botnet seems to have learned a number of lessons from Mirai and is using those lessons to remain less visible to defenses that have learned the ways of the older botnet. According to yegenshen, the researcher from Network Security Research Lab at 360 who first reported IoT_Reaper, the newer botnet software doesn't try to crack passwords. Instead, it simply looks to expoloit vulnerabilities that already exist on IoT devices.

IoT_Reaper is probing the same sort of devices enlisted by Mirai -- the sort of IoT devices owned in the hundreds by most enterprises -- but is doing so in a low-key fashion less likely to raise red flags in a Tripwire or other IDS infrastructure. It is scanning in a fashing described as "low-key," indicating that staying out of red-flag log files is a key aim of the software.

Once the malware is in place, it takes advantage of an integrated Lua execution environment which will allow hackers to transmit, interpret and execute complex malware scripts for many different purposes. Including Lua means that the basic botnet malware could be used by a wide variety of individuals who might or might not have prvious malware experience -- Lua is the leading scripting language used in games and has been the subject of many different books and articles.

As for what the original purpose of IoT_Reaper might be, the presence of approximately 100 open DNS servers means that a DNS-amplification DDoS attack would be quick to execute. yegenshen was quick to point out that there have been, as of this report, no IoT_Reaper-based DDoS attacks in the wild; right now, the botnet is being assembled for purposes no one outside the launching organization knows.

Checkpoint's Research Team also picked up the IoT_Reaper activity and have said that they have found more than a million organizations currently infected. They point out that the botnet malware seems to so far be focused on wireless IP cameras from a wide variety of vendors.

What's the proper course of action for IT managers and security team members? The first step is to read the research papers describing IoT_Reaper and see whether any of your internal devices are communicating with the command and control (C2) or other nodes of the growing botnet. Next make sure that your current network protection is looking for and protecting again traffic related to IoT_Reaper. Finally, start a scan of your IoT devices -- especially IP security cameras -- to make sure that the only code resident on the devices is code from the factory. If updates are available, now's a good time to deploy them.

While no one knows precisely why the IoT_Reaper botnet is being assembled, the odds are good that the purpose is going to be something that you won't like. You have the opportunity to get in front of this one before a terabit-per-second DDoS attack is launched using your systems. Seize the opportunity while it exists.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Considerations for Seamless CCPA Compliance
Anurag Kahol, CTO, Bitglass,  7/2/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12421
PUBLISHED: 2020-07-09
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 6...
CVE-2020-12422
PUBLISHED: 2020-07-09
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.
CVE-2020-12423
PUBLISHED: 2020-07-09
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating sys...
CVE-2020-12425
PUBLISHED: 2020-07-09
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
CVE-2020-12426
PUBLISHED: 2020-07-09
Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.