IOT bots: as predicted, attacks continue

Botnet attacks via the Internet of things devices are indeed on the rise this year, says Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor.


Johannesburg, 25 Mar 2019
Read time 3min 50sec

NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDOS) protection solutions, has shared intelligence released by its security research and analysis team, Arbor's Security Engineering & Response Team (ASERT).

Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, says: "Earlier this year, we released news of the trends we foresaw happening in 2019 and one of our predictions was that botnet attacks via the Internet of things (IOT) devices are set to increase. As it turns out, we were spot on."

IOT round-up

Any embedded device that runs an operating system and has networking capabilities can be considered an IOT device, says Hamman. Most consumer IOT devices are vulnerable to hard code, default credential attacks and buffer overflows, which basically turn their linked device into a DDOS attacking machine, and one that is already conveniently connected to thousands of other devices on the same network.

"Our challenge comes in when patches are released in that they are rarely applied," he says. "Consumers don't think of security when they plug their IOT devices in or switch them on, and with nearly 27 billion connected devices in 2017 rising to an anticipated 125 billion by 2030, IOT devices are increasingly attractive to malware designers*."

The team at ASERT has released an "around the world in 120 days" report, covering IOT exploits since December 2018, and the results were interesting to say the least, says Hamman.

"To effectively plot their 'journey'," he explains, "our team created a host of IOT honeypots, which are, basically, computers built with one purpose in mind and that is to mimic a likely target for attackers. Our ASERT team uses them to detect attacks and to gain information about how cyber criminals operate.
"In this case, telemetry from our honeypots showed that the number of exploit attempts originating from bots continues to increase. In fact, we witnessed a twofold increase in the number of exploit attempts from December 2018 to January 2019, a massive 218% increase, with more and more botnets attempting to exploit IOT device vulnerabilities."

Old foe evolves

The most common exploit, called CVE-2014-8361, dominated the list of IOT exploits to hit the ASERT honeypots over the two-month period. This exploit vector was publicly disclosed in April 2015, tracing back to several high-profile IOT botnets like Satori and JenX, both of which can be traced back to an old 'friend', Mirai, proving that the shelf life for an IOT-based exploit can last for years.

"In fact, when reviewing the payloads for these attacks, we found that most of the malware being delivered is a Mirai variant, again proving that you can teach an old dog new tricks."

As team ASERT stated in an article on "regifting exploits", IOT devices will get patched, sooner or later, but not at the same rate or priority we see when dealing with operating systems. This trend, also identified using Arbor honeypot data, shows us the longevity and usefulness of IOT-based vulnerabilities can last much longer, remaining very attractive to botnet authors.

"Due to the sheer number of IOT devices connected to the Internet, finding vulnerable devices is easy and quick and it doesn't take a significant amount of effort to create a large IOT botnet and create havoc, as we saw with the DDOS attacks conducted by Mirai in 2016," says Hamman.

"ASERT research assures us that we will continue to see an uptick in the use of IOT-based vulnerabilities, with the ease of updating botnet source code like Mirai to take advantage of these vulnerabilities playing a significant role in this permeation."

As vendors try and address these issues, so too will IOT botnet operators evolve their approach. So, as security practitioners, says Hamman, we must learn from these tactics and figure out how we can educate consumers in better defending their property.

"And, as always, it's critical that IOT security be part of an organisation's security programme, with continual and vigilant patching, testing, monitoring, and incident response protocols," he concludes.

For more information about NETSCOUT Arbor in Africa, please contact Bryan Hamman at bhamman@arbor.net.

* Source: https://www.netscout.com/blog/asert/omg-mirai-minions-are-wicked

NETSCOUT Arbor

NETSCOUT Arbor, the security division of NETSCOUT, helps secure the world's largest enterprise and service provider networks from DDOS attacks and advanced threats. NETSCOUT Arbor is the world's leading provider of DDOS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. NETSCOUT Arbor's advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. NETSCOUT Arbor also delivers market-leading analytics for dynamic incident response, historical analysis, visualisation and forensics. NETSCOUT Arbor strives to be a "force multiplier", making network and security teams the experts. NETSCOUT Arbor goal is to provide a richer picture into networks and more security context so customers can solve problems faster and reduce the risks to their business.

To learn more about NETSCOUT Arbor products and services, please follow us on Twitter: @ArborNetworks. Arbor's research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.

Editorial contacts
icomm Vivienne Fouche (+27) 082 602 1635 vivienne@pr.co.za
Networks Unlimited Shonisani Mudau (+27) 011 202 8400 shonisani.mudau@nu.co.z