News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

Old IoT vulnerabilities - a botnet gift that keeps on giving

The first thing anyone purchasing any device that connects to the internet should do upon switching it on for the first time, is immediately update it. If you don't, you risk having it hijacked by a botnet.
Bryan Hamman, territory manager for sub-Saharan Africa at Netscout Arbor
Bryan Hamman, territory manager for sub-Saharan Africa at Netscout Arbor

So says Bryan Hamman, territory manager for sub-Saharan Africa at Netscout Arbor, which specialises in advanced Distributed Denial of Service (DDoS) protection solutions. He warns that it’s not only obvious IoT devices like fitness wearables and watches that are at risk; so are commonly overlooked devices like IP cameras and cable modems.

According to Hamman, new research from Arbor’s Security Engineering & Response Team (ASERT) reveals that while IoT device makers are starting to develop more secure devices, so IoT botnet authors are turning their attention to exploiting the existing vulnerabilities in older devices.

The ASERT honeypot* November 2018 report noted that existing IoT vulnerabilities were being used as a means to deliver malware, which is then often conscripted into a DDoS army. And as the 2016 DDoS Mirai attacks showed, a large IoT botnet can create havoc.

“As far as IoT botnet authors are concerned, it seems that older vulnerabilities are effectively a gift that keeps on giving. As soon as a vulnerability is made public, botnet authors integrate it into their botnet and use this, along with their standard brute force tactic, to quickly build what could be the next potentially lethal DDoS army,” Hamman says.

In fact, the ASERT research clearly indicated that the use of existing and known IoT-based vulnerabilities has made it far easier for botnet authors to increase the number of devices within their botnets.

“Even if the device delivered by the manufacturer has been secured against all known vulnerabilities, the device itself is likely to sit on the resellers shelf for a while before it is sold, switched on and connected. By that time, a whole host of additional vulnerabilities, against which the device has not been secured, have emerged. The device is thus vulnerable to attack, until its software is updated,” Hamman adds.

A major problem is that the time taken for an attack to occur is frighteningly short. Earlier ASERT research shows that it can take just a few minutes from the time a device is switched on and connected to the internet, before it is being scanned and subjected to attempted brute-force logins.

One of the reasons this modus operandi works for botnet authors is the glacial pace at which IoT devices – often referred to as “set and forget” devices – receive security patches. As the authors of the new ASERT report ask: “When’s the last time you updated your IP camera?”

Many botnet authors make a point of seeking to exploit vulnerabilities that are specific to IoT devices. An example is the infamous Mirai malware which emerged in late 2016, but is still going strong, with numerous Mirai variants also having emerged since then. This is largely because of Mirai’s success in exploiting mundane factory-installed usernames and passwords.

In his Netscout Arbor blog, Matthew Bing, who reverse-engineers malware and maintains Netscout Arbor’s honeypot operations listed the most popular username and password combos used by malware authors. These included such obvious ones as “admin/admin” and “guest/12345”. You can read the list of some of the others on the blog.

In all, however, Netscout Arbor has identified some 2,070 unique user name and password combos that are commonly used by botnet authors as part of their attack arsenal.

Arbor’s November honeypot report notes that although Mirai-related attacks are no longer directly only at IoT devices, the onslaught against Hadoop YARN, described in in “Mirai: Not Just For IoT Anymore” continued.

While the Hadoop YARN attack is a relatively new phenomenon, Netscout Arbor also identified the new, and extremely worrying trend, of attempted exploitation of older IoT vulnerabilities such as CVE-2014-8361, CVE-2015-2051, CVE-2017-17215 and CVE-2018-10561 arising from a variety of unique sources in order to deliver variants of Mirai.

*A honeypot is a system on a network that acts as a decoy and lures potential hackers (like bears get lured to honey). Honeypots do not contain any live data or information, but they can contain false information. A honeypot should also prevent an intruder from accessing protected areas of the network.

Let's do Biz