Exploit attempts against IOT devices in SA skyrocket
There has been a 5 043% increase in exploit attempts targeting consumer-based Internet of things (IOT) devices in South Africa.
So says research conducted by Netscout’s ASERT cyber security team, whose honeypot network continuously monitors known exploit vectors. The honeypots monitor for connections attempting to exploit known vulnerabilities within IOT devices.
From the end of April 2019 until the first half of May 2019, researchers noted a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability (CVE-2014-8361) in consumer-based routers. The vulnerability allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.
The attacks originated from Egypt and, based on the volume of exploit attempts against South African routers, appear targeted.
The payload includes commands to download and execute a variant of the Hakai DDOS bot, which can be used to conduct HTTP, TCP, UDP-based DDOS attacks.
According to Netscout, IOT malware authors make use of exploits to try to propagate to as many devices as possible, and all devices using the Realtek SDK miniigd SOAP service are vulnerable to remote command execution attacks. If compromised, cyber criminals can download and execute malicious code on the devices.
The command and control (C2) delivering the malicious payload also contained an installer script which is frequently employed by a variety of IOT-based malware families. Within the download script, researchers found support for several other architectures used by IOT devices.
The installer script can be combined with other exploits to attack vulnerable IOT devices.
“After reverse-engineering the ‘mips’ binary captured by our honeypot, we believe it is a variant of the Hakai IOT DDOS bot compiled for the MIPS architecture and capable of communication with an attacker-controlled C2,” said the researchers.
Dubbed Hakai (Japanese for destruction), the botnet began targeting D-Link, Huawei and Realtek routers in June last year. It was first discovered by security researchers at NewSky Security, and is based on the infamous ‘DDOS for hire’ LizardStresser botnet.