Multi-purpose attack Thingbots "threaten internet stability and human life"

14 January 2019

Thingbots can be co-opted by hackers to become part of a botnet of networked things.

Thingbots can be co-opted by hackers to become part of a botnet of networked things.

IoT devices are now the top attack target for cyber criminals, surpassing web and application services and email servers, according to new research by F5 Networks.

“IoT devices already outnumber people and are multiplying at a rate that far outpaces global population growth,’ says David Warburton, senior EMEA threat research evangelist at F5. 

“Increasingly, lax security control could endanger lives as, for example, cellular-connected IoT devices providing gateways to critical infrastructures are compromised.”

While DDoS remains the most utilised attack method, the application security specialist’s Hunt for IoT report notes that attackers in 2018 began adapting Thingbots under their control to encompass additional tactics.

These include installing proxy servers to launch attacks from, crypto-jacking, installing Tor nodes and packet sniffers, DNS hijacks, credential collection, credential stuffing and fraud trojans.

According to F5, Thingbots can be co-opted by hackers to become part of a botnet of networked things.

Its study says 13 ‘Thingbots’ were discovered in the first half of 2018. That’s compared to six that were discovered in 2017 and nine in 2016.

The 13 identified include the following:

VPN Filter collects credentials, installs a network sniffer to monitor ICS protocols, and installs tor nodes.

Wicked targets small office/home office (SOHO) routers, CCTV and DVRs, and installs SORA and OWARI, both of which are rentable bots. At the time of its discovery, Wicked was the tenth Mirai spin-off bot.

Roaming Mantis preys on Wi-Fi routers as well as Android and iOS phones. It conducts DNS hi-jacks and mines cryptocurrency on compromised devices.

Omni compromises GPON home routers to use for crypto-jacking or DDoS attacks.

UPnProxy is sweeping up SOHO routers and installing proxy servers on them that bypass censorship controls. It launches spam and phishing campaigns, conducts click fraud, account takeovers and credit card fraud, launches DDoS attacks, installs other bots, and distributes malware.

OWARI compromises SOHO routers and is available as a multi-purpose attack bot for hire.

SORA compromises SOHO routers and is available as a multi-purpose attack bot for hire.

DoubleDoor targets SOHO routers behind Juniper home firewalls, then installs proxy servers from which an attacker can launch any attack of choice.

OMG compromises SOHO routers, wireless IP cameras and DVRs, and then installs proxy servers from which the hacker can launch any attack of choice.

JenX compromises SOHO routers and wireless chipsets from which to launch DDoS attacks. JenX is a DDoS-for-Hire service offering 300Gbps attacks for $20.

Hide’n’ Seek compromises IP cameras. F5 experts say that they don’t as yet know what attacks it launches.

Pure Masuta compromises home routers. Once again, its targets are yet to be discovered.

Masuta compromises home routers and launches DDoS attacks.

According to the The Hunt for IoT report, Spain was the top country under attack during the past 18 months. Between 1 January and 30 June 2018, F5 says it remarkably endured an IoT attack on 80 per cent of all monitored attack traffic. 

Other countries under consistent pressure included Russia, Hungary, the US and Singapore.

F5 says most of the attacks during the first half of 2018 originated in Brazil. It was the source for 18 per cent of instances. 

China was the second biggest culprit (15 per cent), followed by Japan (nine per cent), Poland (seven per cent), the US (seven per cent) and Iran (six per cent).

The most infected IoT devices, as determined by their participation in bots, were small SOHO routers, IP cameras, DVRs and CCTVs.

F5’s report also says that the most common method attackers used to discover and eventually infect IoT devices was through global internet scans looking for open remote administration services. 

Telnet and SSH protocols were the most popular, followed by HNAP, UPnP, SOAP and various other TCP ports used by IoT devices. 

Common vulnerabilities and exposures specific to IoT device manufacturers were also prominent routes to exploitation.

Worryingly, F5 says the report posits that there is a significant and growing concern that the servers and databases to which IoT devices connect are just as vulnerable to authentication attacks via weak credentials as the IoT devices themselves.

As a case in point, the firm says research recently carried out by its labs division discovered that cellular IoT gateways are just as susceptible to attack as traditional wired and Wi-Fi-based IoT devices. 

It says that as many as 62 per cent of tested devices were vulnerable to remote access attacks exploiting weak vendor default credentials. 

F5 adds that these devices act as out-of-band networks, creating network back doors, and are widely dispersed across the globe.

The study goes on to reveal that there was a notably large spike in attack traffic in March 2018 that drove a 94 per cent decline in total Telnet attack volume from Q1 to Q2 2018. 

“This is important, as the frequency of Telnet attacks typically tails off when cyber criminals shift their focus from reconnaissance scanning to targeted attacks aimed at building deployable Thingbots,” states the report.

It also adds that the top 50 logged attacking IP addresses are all new. 

F5 says this represents a big change from its previous four reports where the same IP addresses consistently appeared. 

The researchers believe this means there are a range of new threat actors in play, or that existing disruptors are transitioning to new systems. 

Other new developments include the introduction of attacking IP addresses hailing from Iran and Iraq. 

Most attacks still originate in telecom and ISP networks. F5 says attackers typically rent systems in hosting centres to initiate the building of a botnet. These efforts are then taken over by the infected IoT devices in telecom networks. 

The firm says this trend has remained the same for 18 months and is expected to continue. 

Another key report observation is that there has been scant decrease in the global footprint of Mirai, which is the most powerful Thingbot yet to have launched an attack.

The number of Mirai scanner systems across the world dwindled slightly from December 2017 to June 2018. However, F5 says Europe remains the only region where Mirai scanner infections remained relatively static from December 2017 to June 2018.

It warns that not only is the threat of the original bot still “powerfully” present, but there are also at least 10 Mirai offshoots to consider. 

As well as some of the 13 bots mentioned above, these also include AnnieSatori/Okiru and Persirai.

Furthermore, F5 says Mirai's step-siblings are capable of much more than launching DDoS attacks, and can deploy proxy servers, mine crypto-currencies and install other bots.

“We are stuck with over eight billion IoT devices around the world that, for the most part, prioritise access convenience over security,” says Warburton.

“Organisations need to brace themselves for impact because IoT attack opportunities are virtually endless and the process of building Thingbots is more widespread than ever. 

“Unfortunately, it is going to take material loss of revenue for IoT device manufacturers, or significant costs incurred by organisations implementing these devices, before any meaningful security advances are achieved.”