The first thing anyone purchasing any device that connects to the Internet should do upon switching it on for the first time is to update it immediately. If you don’t, you risk having it hijacked by a botnet.
So says Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions. He warns that it’s not only obvious IoT devices like fitness wearables and watches that are at risk; so are commonly overlooked devices like IP cameras and cable modems.
According to Hamman, new research from Arbor’s Security Engineering & Response Team (ASERT) reveals that while IoT device makers are starting to develop more secure devices, so IoT botnet authors are turning their attention to exploiting the existing vulnerabilities in older devices.
The ASERT honeypot1 November 2018 report noted that existing IoT vulnerabilities were being used as a means to deliver malware, which is then often conscripted into a DDoS army. And as the 2016 DDoS Mirai attacks showed, a large IoT botnet can create havoc.
“As far as IoT botnet authors are concerned, it seems that older vulnerabilities are effectively a gift that keeps on giving. As soon as a vulnerability is made public, botnet authors integrate it into their botnet and use this, along with their standard brute force tactic, to quickly build what could be the next potentially lethal DDoS army,” Hamman says.
In fact, the ASERT research clearly indicated that the use of existing and known IoT-based vulnerabilities has made it far easier for botnet authors to increase the number of devices within their botnets.
“Even if the device delivered by the manufacturer has been secured against all known vulnerabilities, the device itself is likely to sit on the resellers shelf for a while before it is sold, switched on and connected. By that time, a whole host of additional vulnerabilities, against which the device has not been secured, have emerged. The device is thus vulnerable to attack, until its software is updated,” Hamman adds.
A major problem is that the time taken for an attack to occur is frighteningly short. Earlier ASERT research shows that it can take just a few minutes from the time a device is switched on and connected to the Internet, before it is being scanned and subjected to attempted brute-force logins.
One of the reasons this modus operandi works for botnet authors is the glacial pace at which IoT devices – often referred to as “set and forget” devices – receive security patches. As the authors of the new ASERT report ask: “When’s the last time you updated your IP camera?”
Many botnet authors make a point of seeking to exploit vulnerabilities that are specific to IoT devices. An example is the infamous Mirai malware which emerged in late 2016, but is still going strong, with numerous Mirai variants also having emerged since then. This is largely because of Mirai’s success in exploiting mundane factory-installed usernames and passwords.
In his recent NETSCOUT Arbor blog, Matthew Bing, who reverse-engineers malware and maintains NETSCOUT Arbor’s honeypot operations listed the most popular username and password combos used by malware authors. These included such obvious ones as “admin/admin” and “guest/12345”. You can read the list of some of the others, as revealed by NETSCOUT Arbor, here.
In all, however, NETSCOUT Arbor has identified some 2 070 unique user name and password combos that are commonly used by botnet authors as part of their attack arsenal.
Arbor’s November honeypot report notes that although Mirai-related attacks are no longer directed only at IoT devices, the onslaught against Hadoop YARN, described in “Mirai: Not Just For IoT Anymore” continued.
While the Hadoop YARN attack is a relatively new phenomenon, NETSCOUT Arbor also identified the new, and extremely worrying trend, of attempted exploitation of older IoT vulnerabilities such as CVE-2014-8361, CVE-2015-2051, CVE-2017-17215 and CVE-2018-10561 arising from a variety of unique sources in order to deliver variants of Mirai.
CVE-2014-8361, for example, was first publicly disclosed in April 2015 and has been used in a number of IoT botnets including the high profile Satori and JenX.
Hamman predicts that the emerging trend towards the exploitation of known, older IoT vulnerabilities will continue, and possibly accelerate, in 2019.
“One way in which this trend could be slowed and possibly reversed is for IoT device manufacturers seriously consider placing prominent warnings on all their devices advising customers to update the device’s software immediately, and to continue to do so on a regular basis thereafter. Without a concerted effort from all players in the IoT chain, the next major DDoS attack may make the 2016 Mirai exploit pale by comparison,” he concludes.