The Evolving Threat - IoT Botnets
A widely used definition of the Internet of Things (IoT) is it that it is a network of physical devices, vehicles, structures and other objects - embedded with electronics, software, sensors, actuators, and network connectivity (they have an IP address) that enable these objects to collect and exchange data. These include quite a few devices such as cameras, routers, DVRs and wearables, like smart watches. These IoT devices are in many if not all industries including Aerospace, Energy, Finance, Healthcare, Manufacturing and Retail. IoTs are so widely incorporated in our daily lives that Gartner expects that by 2020 there will be 20.4 billion IoT devices deployed out on the Internet – more than twice the current world population!
A growing problem today is that many IoT device vendors are hyper-focused on increasing product functionality and reducing the time-to-market – oftentimes at the expense of device and user security. Writing good, secure code is commonly put on the backburner to focus instead on the ease of use and integration - which leaves many IoT devices vulnerable to attack. This, along with the sheer number of expected devices on the Internet makes for a very big attack surface for the bad guys. Botnets, derived from the words robot and networks, is a system of computers infected and controlled by malicious software usually without the user’s knowledge. A botnet that consists of IoT devices is referred to as an IoT Botnet.
In the beginning
IoT Botnets have been around for a while but it really wasn’t until September 2016 when Mirai hit the scene that the extent of this threat was exposed. Mirai created one of the biggest DDOS attacks on the Krebs on Security website which took down the site for about 4 days along with other sites. The botnet utilized 600,000 infected IoT devices to deliver the attack. Most of those devices were made up of DVRs, cameras and routers. As massive of an attack we thought this was – it was simply the equivalent of a blunt object that foreshadowed what was to come. This enormous attack that delivered its blow using hundreds of thousands of devices was not executed with much sophistication but did get the job done - it was just a taste of the full power of Mirai.
They say sharing is caring and if that’s the case, the authors of the Mirai botnet must really care as they released their source code to the public a month later in October 2016. It's still unclear as to why they released the code but it could have been to divert the investigations, or to ensure that their creation lived on when the authorities were closing in on them.
Since the release, there has been many enhanced variants of the Mirai IoT botnet as cybercriminals experiment with the technology to figure out how to monetize this powerful tool. The Mirai botnet recruited its victims by scanning for IoT devices and trying to guess the username and password – many of which were set to factory defaults. Some variants of Mirai are Satori, JenX, OMG and Wicked to name a few.
More Sophisticated – Resilient – Creative
That simple tactic of guessing passwords evolved into exploiting a vulnerability on an IoT device to then exploiting multiple vulnerabilities depending on the device type (cross-platform). A great example of this is Reaper which targeted many IoT device vulnerabilities on vendors such as NetGear, GoAhead, Linksys and Avtech among others. Reaper contained a LUA engine which leveraged scripts to run its exploits which made it very easy to swap exploits in and out. Nowadays it is common for IoT Botnets to have multiple exploits for many IoT devices at its disposal.
In addition to the exploits, the botnets have become more difficult to bring down as some are starting to use a de-centralized command and control infrastructure. This means that the bots are not talking to the same higher botnet herder, they are using peer-to-peer protocol communication with each other in a mesh network. Since the devices are all talking with each other, it makes it much more resilient and more difficult to bring down. Some IoT Botnets will use existing p2p protocols like BitTorrent or Tor while others will use custom built protocols. Keep in mind that this type of communications also enables the bots to spread much faster. An example would be Hide ‘N Seek or Hajime botnet. On a side note, the Hajime botnet did seem to remove a Mirai infection on an IoT Device acting like a whitehat or not.
As I mentioned before, the bad guys continue to search for new ways to leverage bots to make money and whenever money is involved - things get creative. A great example of this is the OMG botnet. This IoT botnet turns the infected IoT device into a proxy server. The botnet uses the opensource software 3proxy for proxy service. This botnet can then be rented to a malicious actor if they are looking to hide behind multiple proxies to achieve anonymity. Fortinet has a great write-up if you want to read more about OMG.
CryptoJacking and IoT Botnets Combine
If you have not heard of cryptojacking before, it is simply a piece of malware that will steal your CPU resources to mine for crypto-currencies. It might not seem too malicious as it’s just taking a few resources but it does a lot more than that, but we will save that for another blog. In a Threat Landscape Report from Fortinet they state that 23% of their customers were hit with some type of cryptojacking attack. Very soon after that, the security community starting seeing cryptojacking malware show up as a payload in IoT devices. To mine for crypto-currencies you need a lot of CPU resources so you wonder why IoT devices? There’s not much CPU power there? That may be true but most of the IoT devices usually sit idle and in this case, the strength is in the numbers. If you can get enough devices infected, they can add just enough computing power to the mining pool.
Now when I say IoT devices, included in there are home devices like Smart TVs and they too are not excluded from the crypto-mining malware. If you’re not careful, you might end up with cryptojacking malware in your home networks. You have to remember that the apps on your Smart TV are just a simple web browser. So if you end up jailbreaking some of the apps to say, download bootlegged movies you may end up not only with your movie, but malware as well - in this case, crypto-mining malware.
More Destructive and Reaching
As the security community watched the evolution of IoT threats, we knew this development was inevitable. The threats would start to become more destructive in nature. When I say destructive I mean basically turning the IoT device into a brick - rendering it useless. We saw a bit of this type of behavior with Bricker bot. This might not sound super bad at first but think about all the different types of IoT devices. Guaranteed it will be pretty bad when your Internet-Connected Coffee maker blows up, but what if it was a medical device or a device that is part of a larger infrastructure for a hospital, a power plant, a country? Enter VPNfilter.
VPNFilter was discovered by Cisco Talos working with various intelligence partners. This IoT malware was very similar to the BlackEnergy malware which was used against devices located in the Ukraine. The VPNFilter malware targeted a variety of IoT devices which were also mainly located in the Ukraine. Once the malware was installed it could monitor SCADA protocols and steal website credentials. It also had a “KillSwitch” which would destroy the IoT device. In addition to this, since the malware on the device was basically monitoring traffic, it had the capability to inject malicious code back into the network session allowing for crossover infection to an endpoint device. Yikes!
Continued innovation from the bad guys is pretty much guaranteed. The amount of insecure IoT devices on the Internet is just to juicy for the bad guys to not continue to find unique ways to generate revenue or weaponize for evil. One possible innovation will be leveraging machine learning or data analytics on IoT botnets. A scenario could be a botnet using a p2p protocol to communicate could send data back and forth to each other to provide performance information that indicate which exploits worked the best, which devices were compromised the most and in what IP or geolocation. This data could be analyzed and consumed by each IoT device to increase the infection rate of the device.
What do we do about this?
Well, the easiest response to the above question would be to get the IoT vendors to secure their devices - but easier said than done. Regulations can help drive a more secure mindset for vendors but this will take time. There are some initiatives like SecuringtheIoT from DHS, and NIST has an IoT website to help secure IoT devices, but they are all just guidelines and recommendations and not regulations.
My personal take on this is that until the consumer demands better security from the IoT vendor nothing will really change. The vendor needs to see security as a “feature” or competitive advantage that can distinguish them from the rest. If they don’t, it will be tough to get them to implement it which leaves the other option of forcing them through regulations.
Knowing that you are likely to have unsecured devices in your environment and have IoT devices that might be attacking your traditional infrastructure, you will need to ensure you have mitigating controls in place. There are a lot of things you can do but at a high level, you should have some type of framework or ability to detect IoT devices in your network, understand how they communicate, and then segment or isolate the devices as much as possible to reduce the avenues of approach. This should minimize the chance of compromise as well as increase your capability to monitor for anomalies.