Researchers from Insikt Group, part of Recorded Future, have identified an IoT botnet that targeted the financial sector in January 2018. Details emerged in a blog by Priscilla Moriuchi and Sanil Chohan.
Interestingly, the underlying data comes from third-party metadata and open source threat intelligence rather than direct observation. It shows how the sharing of threat intelligence can help make attacks easier to identify.
Two possible IoT botnets in the frame
Insikt believe that the attack is yet another Mirai botnet variant. The finger has been pointed at two variants IoTroop or Reaper. Both of these are known about and IoTroop has previously been identified with attacks on the financial sector.
Check Point Research identified IoTroop in October last year. In its initial research it claimed over 1 million organisations had been scanned by IoTroop. This led to claims that it was larger and more dangerous than Mirai. One of the concerns over IoTroop is that it is known to exploit a number of vulnerabilities. It is also capable of being updated with new exploits as they become available.
Similar claims have also been made for Reaper. It was first discovered by researchers at Netlab 360. In the initial disclosure, they claimed that it was large and expanding rapidly. Researchers later claimed that they could only detect 28,000 devices enrolled into the botnet. However, they also said that over 2 million devices were at risk of being enrolled into Reaper.
Why is the IoTroop botnet is the preferred villain?
The Insikt team point to the arrest in February of an unnamed 18-year-old man in the Netherlands. The Dutch Team High Tech Crime (THTC) acted after receiving information about a DDoS attack on the Bunq Bank last September. The suspect, later identified as Jelle S, was also implicated in attacks on the Dutch Tax Office and other companies.
What is interesting is that Bunq Bank claims that it identified the person who attacked them. It seems that the suspect, worried he was going to be found out, walked into the Bunq Bank offices. After apologising, Bunq Bank decided not to press charges and give him another chance.
It now appears that Jelle S took no notice of that warning. Instead, Insikt claims that he continued to launch attacks using IoTroop. Those attacks were against banks, commercial companies and the Dutch Tax Office. Eventually, Bunq Bank handed their data over to the THTC who then made the arrest.
While Jesse S appears to be the current fall guy for IoTroop, there appears to be no evidence he is the owner. This raises questions over how quickly IoTroop will morph or whether the owner will shut it down temporarily.
How big were the attacks?
In terms of DDoS attacks, they were relatively small. The first attack topped out at around 30GB/s and involved just 13,000 devices. The second attack had a significant overlap in terms of the botnet infrastructure. Researchers believe this means it is part of the same botnet. There is very limited data on the third attack at the moment but the timing has researchers convinced this was all part of the same campaign.
The majority of the devices appear to come from poorly secured routers. The researchers said: “80 per cent comprised of compromised MikroTik routers, with the remaining 20 per cent composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL.
“We also discovered webcams, TVs, and DVRs among the 20 percent of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link, and Dahua.”
The breadth of devices appears to be down to the emergence of vulnerabilities. This implies that the owner of the IoTroop botnet is updating its attack vectors regularly. There is also a significant issue in terms of the geographical spread of the devices involved. The research shows that while there are 139 countries with infected devices, the majority are in Russia, Brazil and Ukraine.
What does this mean?
IoT-based botnets are easy to build. The complete lack of security in many IoT devices makes it easy for attackers to enrol them into botnets. Part of the excuse from vendors is that there is no money left to build cybersecurity into their products. This is put down to competitive pricing pressures in the market. To solve this there needs to be coordinated action by governments in how devices are tested and approved for sale in-country,
In February the French government in its REVUE STRATÉGIQUE DE CYBERDÉFENSE (Strategic Review of Cyberdefence (only available in French), suggesting it would introduce cyber-liability. This means that for as long as products (software and hardware) are commercially available, the manufacturer would be liable for their security. It is just a suggestion at the moment but one that appeals to other EU countries. It will be interesting to see if France can get an EU working party assembled to consider it.
Consumers are the most at risk of their products being enrolled in botnets. They generally lack the capability and experience to secure their latest technology toys and tools. This makes them easy prey for hackers and is why more must be done by vendors. The same problem exists with many SMEs across Europe. Even the dealers that support them often lack experienced cyber security staff.
For large enterprises there is a double warning here. It is important to locate those devices inside the enterprise before they are taken over. There is also a need to invest in DDoS remediation strategies. While these attacks were small, the industry is expecting to see more large-scale attacks such as the recent 1.35Tbps attack against GitHub.