The Hunt for IoT: The Rise of Thingbots

Across all of our research, every indication is that today’s "thingbots" – botnets built exclusively from Internet of Things devices – will become the infrastructure for a future Darknet.

Sara Boddy, Principal Threat Research Evangelist

September 14, 2017

5 Min Read
Image Source: F5

Justin Shattuck also contributed to this article.

The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the cyber weapon delivery system of choice by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?

Across all of our research, every indication is that today’s botnets, or "thingbots" (built exclusively from IoT devices) will become the infrastructure for a future Darknet.

In our third semi-annual report on this topic, we continue to track Telnet attack activity and, through a series of global maps showing infected systems, we track the progression of Mirai, as well as a new thingbot called Persirai. We also include a list of the administrative credentials attackers most frequently use when launching brute force attacks against IoT devices.


Here are the key findings based on analysis of data collected between January 1 through June 30, 2017:

  • Telnet attack activity grew 280% from the previous period, which included massive growth due largely to the Mirai malware and subsequent attacks.

  • The level of attacking activity at the time of publishing doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it is likely these thingbots are just ready and waiting to unleash their next round of attacks.

  • 93% of this period’s attacks occurred in January and February while activity significantly declined in March through June. This could mean that the attacker “recon” phase has ended and that the “build only” phase has begun. Or, it could just be that attackers were momentarily distracted (enticed) by the Shadow Brokers’ release of EternalBlue.

  • The top attacking country in this reporting period was Spain, launching 83% of all attacks, while activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume. (Has China cleaned up compromised IoT systems?)

  • The top 10 attacking IP addresses all came from one hosting provider network in Spain: SoloGigabit. SoloGigabit was also the source of all attacks coming from Spain in this period. Given that SoloGigabit is a hosting provider with a "bullet proof" reputation, we assume this was direct threat actor traffic rather than compromised IoT devices being forced by their thingbot master to attack.

  • The top 50 attacking IP addresses resolve to ISP/telecom companies and hosting providers. While there were more ISPs and telecom IP addresses on the top 50 list, when looking at volume of attacks by industry, the overwhelming number came from hosting providers.

  • Although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks and to host banking trojan infrastructure. IoT devices have also been subject to hacktivism attacks, and are the target of nation-state cyber warfare attacks.

  • As we see in this report with Persirai, attackers are now building thingbots based on specific disclosed vulnerabilities rather than having to launch a large recon scan followed by brute forcing credentials.

From a manufacturing and security perspective, the state of IoT devices hasn’t changed, nor did we expect it to. In the short term, IoT devices will continue to be one of the most highly exploitable tools in attackers’ cyber arsenals. We will continue to see massive thingbots being built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers who simply refuse to purchase vulnerable devices.

In the meantime, responsible organizations can do their best to protect themselves by having a DDoS strategy in place, ensuring redundancy for critical services, implementing credential stuffing solutions, and continually educating employees about the potential dangers of IoT devices and how to use them safely.

Gartner estimates 63% of in-use IoT devices in 2017 are consumer products, the “audience” that’s least capable of doing something about a device’s inherent vulnerabilities. Even with proper instruction, most devices weren’t designed to accept admin credential changes, so a responsible owner of a home-use IoT device couldn’t do the right thing even if they knew how. Nevertheless, this IoT problem needs proper attention, and most certainly will not be solved in the short term. Product fixes and recalls can be extremely costly for IoT manufacturers and developers, and global legislation would require coordinated efforts on a scale the world has never seen. So, now is the time to act on behalf of your business before another Death Star-sized attack is launched. Our recommendations are:

  • Have a DDoS strategy in place, whether it’s an on-premises, cloud-based, or hybrid solution.

  • Ensure critical services have redundancy. You aren’t always the direct target. Plan ahead for downstream impact if your service provider is attacked.

  • Purchase wisely; money talks! Don’t buy, deploy, or sell vulnerable IoT devices. They could become cyber weapons that turn around and attack businesses. Do your homework before you purchase. If you are conducting due diligence with your IoT manufacturers, use the checklist below when questioning their secure development practices.

Our full 'Rise of Thingbots IoT Threat Analysis' report is available here

About the Author(s)

Sara Boddy

Principal Threat Research Evangelist

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all divisions of the company including web and ecommerce media properties, the domain registrar and registry platform (eNom, now Rightside) and domain parking. Prior to Demand Media, Sara spent 11 years at security consulting firms that focused on compliance (ISO 27001, PCI-DSS, SOX), incident response, and technical control implementations. Sara specializes in incident response, application security, compliance and audit, and has extensive experience with M&As, IPOs, and public company splits.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights