Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
9/14/2017
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
100%
0%

The Hunt for IoT: The Rise of Thingbots

Across all of our research, every indication is that today's "thingbots" - botnets built exclusively from Internet of Things devices - will become the infrastructure for a future Darknet.

Justin Shattuck also contributed to this article.

Image Source: F5
Image Source: F5

The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the cyber weapon delivery system of choice by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?

Across all of our research, every indication is that today’s botnets, or "thingbots" (built exclusively from IoT devices) will become the infrastructure for a future Darknet.

In our third semi-annual report on this topic, we continue to track Telnet attack activity and, through a series of global maps showing infected systems, we track the progression of Mirai, as well as a new thingbot called Persirai. We also include a list of the administrative credentials attackers most frequently use when launching brute force attacks against IoT devices.

Mirai systems in Europe - June 2017 (Source: F5)
Mirai systems in Europe June 2017 (Source: F5)

Here are the key findings based on analysis of data collected between January 1 through June 30, 2017:

  • Telnet attack activity grew 280% from the previous period, which included massive growth due largely to the Mirai malware and subsequent attacks.
  • The level of attacking activity at the time of publishing doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it is likely these thingbots are just ready and waiting to unleash their next round of attacks.
  • 93% of this period’s attacks occurred in January and February while activity significantly declined in March through June. This could mean that the attacker “recon” phase has ended and that the “build only” phase has begun. Or, it could just be that attackers were momentarily distracted (enticed) by the Shadow Brokers’ release of EternalBlue.
  • The top attacking country in this reporting period was Spain, launching 83% of all attacks, while activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume. (Has China cleaned up compromised IoT systems?)
  • The top 10 attacking IP addresses all came from one hosting provider network in Spain: SoloGigabit. SoloGigabit was also the source of all attacks coming from Spain in this period. Given that SoloGigabit is a hosting provider with a "bullet proof" reputation, we assume this was direct threat actor traffic rather than compromised IoT devices being forced by their thingbot master to attack.
  • The top 50 attacking IP addresses resolve to ISP/telecom companies and hosting providers. While there were more ISPs and telecom IP addresses on the top 50 list, when looking at volume of attacks by industry, the overwhelming number came from hosting providers.
  • Although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks and to host banking trojan infrastructure. IoT devices have also been subject to hacktivism attacks, and are the target of nation-state cyber warfare attacks.
  • As we see in this report with Persirai, attackers are now building thingbots based on specific disclosed vulnerabilities rather than having to launch a large recon scan followed by brute forcing credentials.

From a manufacturing and security perspective, the state of IoT devices hasn’t changed, nor did we expect it to. In the short term, IoT devices will continue to be one of the most highly exploitable tools in attackers’ cyber arsenals. We will continue to see massive thingbots being built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers who simply refuse to purchase vulnerable devices.

In the meantime, responsible organizations can do their best to protect themselves by having a DDoS strategy in place, ensuring redundancy for critical services, implementing credential stuffing solutions, and continually educating employees about the potential dangers of IoT devices and how to use them safely.

Gartner estimates 63% of in-use IoT devices in 2017 are consumer products, the “audience” that’s least capable of doing something about a device’s inherent vulnerabilities. Even with proper instruction, most devices weren’t designed to accept admin credential changes, so a responsible owner of a home-use IoT device couldn’t do the right thing even if they knew how. Nevertheless, this IoT problem needs proper attention, and most certainly will not be solved in the short term. Product fixes and recalls can be extremely costly for IoT manufacturers and developers, and global legislation would require coordinated efforts on a scale the world has never seen. So, now is the time to act on behalf of your business before another Death Star-sized attack is launched. Our recommendations are:

  • Have a DDoS strategy in place, whether it’s an on-premises, cloud-based, or hybrid solution.
  • Ensure critical services have redundancy. You aren’t always the direct target. Plan ahead for downstream impact if your service provider is attacked.
  • Purchase wisely; money talks! Don’t buy, deploy, or sell vulnerable IoT devices. They could become cyber weapons that turn around and attack businesses. Do your homework before you purchase. If you are conducting due diligence with your IoT manufacturers, use the checklist below when questioning their secure development practices.

Our full 'Rise of Thingbots IoT Threat Analysis' report is available here

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.