An estimated one million organisations worldwide have been affected by a new Internet of things (IOT) botnet.
This is according to Israeli-based cyber security firm Check Point Software Technologies, which notes "new cyber storm clouds are gathering".
Check Point researchers discovered a new botnet evolving and recruiting IOT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.
IOT botnets are Internet-connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyber attacks against organisations worldwide, including hospitals, national transport links, communication companies and political movements.
Mirai attacks
The source code for Mirai has been published in hacker forums as open source. Since the source code was published, the techniques have been adapted in other malware projects. Mirai is a type of malware that automatically finds IOT devices to infect and conscripts them into a botnet - a group of computing devices that can be centrally controlled. From there, this IOT army can be used to mount distributed denial-of-service (DDOS) attacks.
A recent report by Juniper Research found the consumer IOT installed base will reach over 15 billion units by 2021, an increase of 120% over 2016. The report found the use of botnets to disrupt Internet services form part of the near-term threat landscape.
It predicts that botnets will be used for more malicious purposes in future, impacting consumer, industrial and public services markets.
"While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide," says Check Point.
"It is too early to guess the intentions of the threat actors behind it, but with previous botnet DDOS attacks essentially taking down the Internet, it is vital that organisations make proper preparations, and defence mechanisms are put in place before an attack strikes."
Malware evolution
The security software vendor says ominous signs were first picked up via Check Point's intrusion prevention system in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IOT devices, it notes.
It adds that with each passing day, the malware was evolving to exploit an increasing number of vulnerabilities in wireless IP camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others.
It soon became apparent that the attempted attacks were coming from many different sources and a variety of IOT devices, meaning the attack was being spread by the IOT devices themselves, Check Point explains.
"So far, we estimate over a million organisations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing. Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come."
Upon further research, it was found that numerous devices were both being targeted and later sending out the infection, the firm notes. These attacks were coming from many different types of devices and many different countries, totalling approximately 60% of the corporate networks which are part of Check Point's ThreatCloud global network.
Versatile bots
Ayaz Saiyed, a cyber security expert at local information security company Wolfpack, says IOT botnets are generally used to distribute spam e-mails with malicious attachments or infect a device and use that device as part of a denial-of-service attack against other systems.
He explains that initially IOT devices were targeted due to weak passwords, but now they are targeted due to various vulnerabilities in them that are exploited to make them part of a botnet network.
"Bots are very versatile in their function and most of the time it is undetected by automated systems; it also automates the hacker task and can work 24/7/365 without stopping," says Louis Basson from Wolfpack.
Matthew Simon, head of managed services at Wolfpack, says users need to first equip themselves with the knowledge of the devices they have in their homes and understand where they are vulnerable. "From there, users need to employ a security stance so that when it comes to deploying these devices, they understand the risks and can lock down their networks or create a separate network where these devices connect."
Share