IoT Botnets by the Numbers
IoT devices are a botherder's dream attack-vector.
January 31, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltff7759e26be2bd93/64f0d6f2d70b2e69e6830f1b/01-iotbot.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Even before Mirai burst onto the scene a year-and-a-half ago, security experts had been warning anyone who listened about how juicy Internet of things (IoT) devices were looking to criminal botnet herders. Proliferating faster than black t-shirts at a security conference, IoT sensors have spread throughout our personal and business lives inside cameras, automobiles, TVs, refrigerators, wearable technology, and more.
They offer the perfect combination of variables for attackers seeking an ideal botnet node: ubiquity, connectivity, poor default settings, rampant software vulnerability - and utter forgetability. Once these devices are deployed, they're rarely patched or even monitored. So it was only a matter of time before cybercriminals started harvesting them for botnet operations.
Mirai offered one of the first large-scale implementations of IoT botnets, and since its inception in late 2016 the attacks have been relentless.
Here is a rundown of some of the most relevant stats around IoT botnet attacks.
A report from Spamhaus Project showed that among all botnet activity gains, IoT botnet growth took the cake. The Spamhaus Bothnet Threat Report found that while the number of botnet controllers jumped by a sizable 32% in 2017, the number of IoT botnet controllers more than doubled in the same time period.
First discovered by security researchers in August 2016, the Mirai IoT botnet was the speartip of this newest evolution in botnet threats. Mirai started to really make waves in the early fall of that year, taking down the KrebsonSecurity.com website and breaking records by barraging French web host OVH with the first ever DDoS attack to break through the traffic data ceiling of 1.5 Tbps, an attack that still holds the traffic flood record today. All of that early traction came from malware designed to target IoT devices with one of 60 popular default passwords.
The crescendo to Mirai's early traction came on October 21, 2016 when the botnet managed to orchestrate a series of DDoS attacks that took down services at managed DNS provider Dyn, taking with it in the process some of the biggest names on the internet in North America including Amazon, Spotify, Netflix, Twitter, Github, and Yelp. Dyn's team first reported the attack was coming from millions of compromised devices, but later investigation found the attack was carried out by just 100,000 IoT zombies.
Last year saw an incredible run-up in the size of botnets grown using the Mirai malware, which soon after initial attacks had its code released open source for any scammer to use. Researchers with Netlab 360 tracked cumulative growth of compromised devices from Mirai's inception until about last summer. In a little less than a year, it managed to pick up 2.7 million compromised IoT devices.
Last month saw the three creators of Mirai come to justice in a fairly swift manner through a plea deal with the US Department of Justice. Paras Jha, 21, Josiah White, 20, and Dalton Norman, 21, who developed Mirai in their dorm room, all pled guilty and now face 5 years in prison and $250,000 in fines for their creation of and renting out of Mirai for click fraud and other cybercriminal activities.
Sentencing of Mirai's creators or not, the genie is out of the bottle now. Last year saw the splintering of code as new variants and families based on Mirai cropped up with more effective attack vectors than ever. One of the most successful new families, Satori, started popping up late last year and truly turned on the afterburners when attackers used it to go after a zero day in Huawei's HG532e home gateway router in December 2017. According to researchers with Netlab 360, around the time Satori targeted that vulnerability, it was able to pull in over 280,000 new infected devices within a 12-hour period.
One of the newest examples of IoT botnet advances is Hide N Seek (HNS), a bot first detected by researchers with Bitdefender this month. From January 10th until now, HNS has managed to build itself up to 24,000 bots with a fairly wide geographic distribution. The unique trait of this one is its advanced peer-to-peer communication system.
Just how much does an IoT botnet rental go for? According to one report, one Dark Web advertisement had a 50,000-device botnet for rent for a two-week duration to conduct one-hour attacks with five- to10-minute cool downs in between at a rate of $3000-$4000.
According to the AT&T Global State of Cybersecurity report, 35% of organizations report that IoT devices were the primary source of data breaches in the past 12 months and 68% of them expect IoT threats to increase in the coming year. While 90% of organizations have conducted enterprise-wide cyber risk assessments in the past year, just 50% have conducted risk assessments specific to IoT threats.
According to the AT&T Global State of Cybersecurity report, 35% of organizations report that IoT devices were the primary source of data breaches in the past 12 months and 68% of them expect IoT threats to increase in the coming year. While 90% of organizations have conducted enterprise-wide cyber risk assessments in the past year, just 50% have conducted risk assessments specific to IoT threats.
Even before Mirai burst onto the scene a year-and-a-half ago, security experts had been warning anyone who listened about how juicy Internet of things (IoT) devices were looking to criminal botnet herders. Proliferating faster than black t-shirts at a security conference, IoT sensors have spread throughout our personal and business lives inside cameras, automobiles, TVs, refrigerators, wearable technology, and more.
They offer the perfect combination of variables for attackers seeking an ideal botnet node: ubiquity, connectivity, poor default settings, rampant software vulnerability - and utter forgetability. Once these devices are deployed, they're rarely patched or even monitored. So it was only a matter of time before cybercriminals started harvesting them for botnet operations.
Mirai offered one of the first large-scale implementations of IoT botnets, and since its inception in late 2016 the attacks have been relentless.
Here is a rundown of some of the most relevant stats around IoT botnet attacks.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024