The Hunt for IoT: Multi-Purpose Attack Thingbots Threaten Internet Stability and Human Life
The number of Mirai scanner systems across the world decreased slightly from December 2017 to June 2018. There is less concentration of scanner systems in North America, South America, and Asia in June 2018 versus December 2017. Europe is the only region where Mirai scanner infections remained relatively the same from December 2017 to June 2018.
There was a noticeable growth of Mirai malware systems (yellow dots) across the world since our last report covering Mirai growth through December 30, 2017. In December 2017, there were no Mirai malware systems in South America; now there are many. Several new malware systems have popped up across North America and Europe. There were only three Mirai malware systems in southeast Asia in December 2017; now there are at least two dozen. This growth in Mirai malware systems makes sense given the number of Mirai variants in the wild now.
Top 50 Attacked SSH Admin Credentials
We know IoT devices are exploited remotely through weak administrative credentials—typically, vendor defaults. These systems are also susceptible to brute force attacks. Because of this, we started publishing the list of top 50 attacked admin credentials in The Hunt for IoT: The Rise of Thingbots (volume 3) so everyone could ensure these credentials do not exist in their environments. For this report, we are expanding the list to top 100 attacked admin username and password combinations.
Not changing vendor default credentials is a critical mistake when deploying any system. Perhaps just as bad is vendors implementing simple default credentials in the first place. We are making attackers’ jobs too easy. “root:root”, “admin:admin”, “user:user”, “test:test” and “ubuntu:ubutu”—the top 5 most attacked admin credentials—should never be default credentials to begin with. Vendors should expect customers to deploy their products without changing these defaults and start off with something more complex. At a minimum, usernames and passwords should not be identical. Eighty-eight percent of the credentials in the top 50 most attacked list from January 1, 2018 through June 30, 2018 have the same username as the password as compared to 87% in the prior six-month period, and 96% in the six-month period before that.
| 1 – 50 | User Name | Password | 51 – 100 | User Name | Password |
| 1 | root | root | 51 | manager | manager123 |
| 2 | admin | admin | 52 | teamspeak3 | teamspeak3 |
| 3 | user | user | 53 | nobody | nobody |
| 4 | test | test | 54 | csgoserver | csgoserver |
| 5 | ubuntu | ubuntu | 55 | test2 | test2 |
| 6 | ubnt | ubnt | 56 | demo | demo |
| 7 | support | support | 57 | 0 | |
| 8 | oracle | oracle | 58 | a | a |
| 9 | pi | raspberry | 59 | minecraft | minecraft |
| 10 | Guest | guest | 60 | alex | q1w2e3r4t5 |
| 11 | postgres | postgres | 61 | postfix | postfix |
| 12 | ftpuser | asteriskftp | 62 | glassfish | glassfish |
| 13 | usuario | usuario | 63 | jboss | jboss |
| 14 | nagios | nagios | 64 | master | master |
| 15 | 1234 | 1234 | 65 | ghost | ghost |
| 16 | ftp | ftp | 66 | vnc | vnc |
| 17 | operator | operator | 67 | info | info |
| 18 | git | git | 68 | 111111 | 856149100 |
| 19 | hadoop | hadoop | 69 | debian | debian |
| 20 | ts3 | ts3 | 70 | centos | centos |
| 21 | teamspeak | teamspeak | 71 | testuser | testuser |
| 22 | mysql | mysql | 72 | system | sytem |
| 23 | tomcat | tomcat | 73 | www-data | www-data |
| 24 | service | service | 74 | test1 | test1 |
| 25 | butter | xuelp123 | 75 | upload | upload |
| 26 | ts | ts | 76 | plcmspip | plcmspip |
| 27 | bot | bot | 77 | weblogic | weblogic |
| 28 | deploy | deploy | 78 | redhat | redhat123456 |
| 29 | monitor | monitor | 79 | developer | developer |
| 30 | administrator | administrator | 80 | public | public |
| 31 | bin | bin | 81 | student | student |
| 32 | default | nopass | 82 | webmaster | webmaster |
| 33 | adm | adm | 83 | osmc | osmc |
| 34 | vagrant | vagrant | 84 | c | c |
| 35 | anonymous | any@ | 85 | server | server |
| 36 | uucp | uucp | 86 | supervisor | supervisor |
| 37 | www | www | 87 | 22 | backup |
| 38 | jenkins | jenkins | 88 | hdfs | hdfs |
| 39 | apache | apache | 89 | linux | linux |
| 40 | sshd | sshd | 90 | postmaster | postmaster |
| 41 | PlcmSpIp | PlcmSpIp | 91 | csserver | csserver |
| 42 | cisco | cisco | 92 | prueba | prueba |
| 43 | sinusbot | sinusbot | 93 | matt | matt |
| 44 | user1 | user1 | 94 | vyatta | vyatta |
| 45 | backup | backup | 95 | hduser | hduser |
| 46 | Management | TestingR2 | 96 | nexus | nexus |
| 47 | steam | steam | 97 | ethos | live |
| 48 | mother | f0cker | 98 | Admin | Admin |
| 49 | dev | dev | 99 | mc | mc |
| 50 | zabbix | zabbix | 100 | telnet | telnet |
Figure 18: Top 100 attacked admin credentials
Just for Fun: Keurig Attacks!
To prove that IoT security is abysmal and that attackers will find a way to use any “thing” (and because there is a Hyper Text Coffee Pot Control Protocol RFC232437—yes, really!), here are some attack logs from a Keurig coffee maker.
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-23T12:16:41.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 49180, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:04:52.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:14:46.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, }
Conclusion
We have reached a point of no return when it comes to deployed IoT devices, their existing security standards (or lack thereof), and the inability to do anything about their security worldwide. We are stuck with the over 8 billion deployed devices around the world that, for the most part, prioritize access convenience over security. We don’t know what percentage of the 8+ billion IoT devices are vulnerable, but the percentage of vulnerable of cellular gateways—62%—“protecting” critical systems like police cars, firetrucks, and airport operations is a good metric to start with. Theoretically, security increases with the criticality of the system, and you could assume that more attention would have been paid to securing critical cellular gateways than home routers, IP cameras, and TVs. But 62% of the total IoT population is 5 billion devices. The additional 12 billion IoT devices that will be going live by 2020 were likely developed over the past few years with the same absence of security standards:
- Remote administration is open to the entire Internet (IP tables, ACLs, firewall rules not in place).
- Whether it’s SSH or Telnet, the administrator username and password is typically left as vendor default, which all attackers know (see Figure 18).
- Account lockouts after a certain number of failed login attempts is not set, so admin accounts can be brute-forced.
- Rate limiting, which could prevent DDoS attacks, is not in place.
Twelve billion new devices can’t go live on IPv4; there just simply isn’t enough IPv4 space left. Implementors will be forced to use NAT (which is a good thing), move to cellular and the further adoption of 5G, and move to IPv6, which will introduce additional complexity and security issues.
Organizations need to brace themselves for impact, because the attacker opportunity with IoT is virtually endless, and building thingbots is now popular. We expect the IoT attacks we are watching to be building new thingbots and growing the size of thingbots already discovered. Organizations need to be prepared for thingbot attacks by having security controls in place that can detect the bot and scale to the rate at which thingbots can attack. Having bot defense at your application perimeter is crucial, as well as having a scalable DDoS solution.
Attackers will eventually figure out what systems they are infecting, and then build purposeful bots. It’s important to keep in mind that, for the most part, attackers looking to build sizeable bots to launch attacks don’t know what types of systems they have taken over, or who owns them. It’s a numbers game—“who” and “what” is irrelevant to them. They are casting the widest net possible, to catch as many systems as possible, to make the most powerful bot possible. Sierra Wireless, the largest manufacturer of cellular IoT devices issued a Mirai alert, warned customers to reset their default admin credentials. One would assume they issued that alert because their devices were getting infected. Imagine attackers (operating any one of the 10 Mirai spinoff bots that we are aware of) purposely and consciously using their access to a police car to launch physically disruptive attacks instead of unknowingly using equipment in police cars to launch DDoS attacks? Attackers are smart, and the good ones love to automate. We expect them to fingerprint device types and customize their reconnaissance missions and scans to build purpose-built attack bots optimized by the types of devices they infect and what attacks those devices are best at. In the future, we expect:
- Crypto-jacking to rise on IoT systems that are good at processing data like SOHO routers, gaming consoles, and others.
- Ransomware attacks to grow against IoT systems controlling a critical function where the owner is more likely to pay the ransom (industrial control systems, airports, hospitals, casinos, ATMs, etc.).
- More targeting of IoT systems that are network back doors like cellular gateways (especially in fleet vehicles), HVAC systems, thermostats, IP cameras, vending machines, coffee makers—all the “things” you never think might have Internet access. Compromised devices are then used to spy and steal data and intellectual property (IP).
- Spyware targeting industrial control systems (could be foreign adversarial or friendly data gathering).
- Targeted warfare attacks against critical industrial control systems by nation-states, including physical attacks and spying.
It’s going to take material loss of revenue for IoT device manufacturers, or significant costs incurred by organizations who implement these devices before any meaningful IoT security is achieved. If and when the world wakes up and starts to demand stringent security for IoT devices, the availability of IoT systems to infect will decrease and make the attacker market more competitive. At that point, the attack-bot-for-hire cybercrime economy will mature where bots are valued based on the IoT device types in the bot and what attacks they are good for, similar to the way the stolen PII market matured when certain card types or IDs in certain countries were worth more than others.
For now, every company needs to prepare themselves for thingbot attacks, every business and government entity with IoT devices deployed should be securing them, and every person should be securing their home. The recommendations on what to do have been the same since we started this report series. Refer to the checklist in the conclusion of The Hunt for IoT: The Growth and Evolution of Thingbots (volume 4) for a comprehensive list.
Source link
lol
The number of Mirai scanner systems across the world decreased slightly from December 2017 to June 2018. There is less concentration of scanner systems in North America, South America, and Asia in June 2018 versus December 2017. Europe is the only region where Mirai scanner infections remained relatively the same from December 2017 to June…