Bryan Hamman, Territory Manager for Sub-Saharan Africa at NETSCOUT Arbor, warns that it’s not only obvious IoT devices like fitness wearables and watches that are at risk; so are commonly overlooked devices like IP cameras and cable modems. Here tells us more here…
New research from Arbor’s Security Engineering and Response Team (ASERT) reveals that while IoT device makers are starting to develop more secure devices, IoT botnet authors are turning their attention to exploiting the existing vulnerabilities in older devices.
The report noted that existing IoT vulnerabilities were being used to deliver malware, which is then often conscripted into a DDoS army. And as the 2016 DDoS Mirai attacks showed, a large IoT botnet can create havoc.
It seems that older vulnerabilities are effectively a gift that keeps on giving. As soon as a vulnerability is made public, botnet authors integrate it into their botnet and use this, along with their standard brute force tactic, to quickly build what could be the next potentially lethal DDoS army.
The research clearly indicated that the use of existing and known IoT-based vulnerabilities has made it far easier for botnet authors to increase the number of devices within their botnets.
Even if the device delivered by the manufacturer has been secured against all known vulnerabilities, the device is likely to sit on the resellers shelf for a while before it is sold, switched on and connected. By that time, a whole host of additional vulnerabilities, against which the device has not been secured, have emerged. The device is thus vulnerable to attack, until its software is updated.
A major problem is that the time taken for an attack to occur is frighteningly short. Previous research shows that it can take just a few minutes from the time a device is switched on and connected to the Internet, before it is being scanned and subjected to attempted brute-force logins.
One of the reasons this works for botnet authors is the glacial pace at which IoT devices – often referred to as ‘set and forget’ devices – receive security patches.
Many botnet authors make a point of seeking to exploit vulnerabilities that are specific to IoT devices. An example is the infamous Mirai malware which emerged in late 2016, but is still going strong, with numerous Mirai variants also having emerged since then. This is largely because of Mirai’s success in exploiting mundane factory-installed usernames and passwords.
In his recent NETSCOUR Arbor blog, Matthew Bing, who reverse-engineers malware and maintains NETSCOUT Arbor’s honeypot operations, listed the most popular username and password combos used by malware authors. These included such obvious ones as ‘admin/admin’ and ‘guest/12345’. NETSCOUT Arbor has identified 2,070 unique user name and password combos that are commonly used by botnet authors as part of their attack arsenal.
Arbor’s report notes that although Mirai-related attacks are no longer directly only at IoT devices, the onslaught against Hadoop YARN, described in in Miral: Not Just for IoT Anymore. While the Hadoop YARN attack is a relatively new phenomenon, NETSCOUT Arbor also identified the new, and extremely worrying trend, of attempted exploitation of older IoT vulnerabilities such as CVE-2014-8361M CVE-2015-2051, CVE-2017-17215 and CVE-2018-10561 arising from a variety of unique sources in order to deliver variants of Mirai.
One way in which this trend could be slowed and possibly reversed is for IoT device manufacturers seriously consider placing prominent warnings on all their devices advising customers to update the device’s software immediately, and to continue to do so on a regular basis. Without a concerted effort from all players in the IoT chain, the next major DDoS attack may make the 2016 Mirai exploit pale by comparison.”