The Hunt for IoT: The Growth and Evolution of Thingbots Ensures Chaos
- by nlqip
We have already witnessed attackers evolving their methods and markets for making money with compromised IoT devices, just like legitimate businesses and financial markets do, and IoT is a rich, trillion-dollar market based on IDC’s estimations for 2020,* ripe with vulnerable devices waiting to be exploited. Every expectation should be set that attackers will continue targeting IoT devices.
Moving forward in the hunt for IoT, it will be a competition among attackers to find IoT vulnerabilities, compromise those devices, and build the strongest thingbot—much like we see today with traditional IT infrastructure.
Regardless of when the easy pickings end, the volume of telnet brute force attacks launched between July 1 and December 31, 2017, maintained levels equivalent to what we saw before and after Mirai. In context, the telnet attacks we have been reporting on have built Remaiten, Mirai, Hajime, and Brickerbot (vigilante thingbots created to take out devices that could have been infected by Mirai), IRCTelnet, Satori, Persirai, Reaper and Hide ‘N Seek.* The telnet attacks we publish do not cover the whole IoT attack spectrum, yet they are enough to create nine sizable thingbots capable of massive destruction or surveillance, with room to create more thingbots we don’t know about yet.
The thingbot discovery timeline shows the evolution of the hunt for IoT through the discovery of thingbots over the past decade, their protocol exploit methods, the devices they target, and the attacks they launch.
Our research shows that there are new threat actor networks and IP addresses continually joining the IoT hunt, and there are consistent top threat actors over time—perhaps using favored networks. Networks that allow attackers to do whatever they want with little to no involvement (bulletproof hosting providers) or have limited ability to detect and respond to abuse (residential IoT devices in telecom networks). What’s more interesting is the pattern created by the count of attacks by IP address and the count of IP addresses used inside networks. The pattern is too clean to be random. It appears calculated and automated. In the same way the networks being used are intentionally picked, the number of systems and IP addresses used within those networks (and the number of attacks they launch) are calculated to avoid detection, and it’s all automated with the same code. We haven’t pinpointed the threat actors, but we see their strategy in action.
Below is a summary of our key findings based on data collected from July through December 2017:
- Telnet brute force attacks against IoT devices rose 249% year over year (2016–2017).
- 44% of the attack traffic originated from China, and from IP addresses in Chinese networks that were top threat actor networks in prior reports. Behind China in total attack volume was the U.S., followed by Russia.
- We have consistently seen the same attacking IP addresses and networks over the span of our two-year research, proving that this abusive traffic is either not being detected, or it’s being allowed. Because of this, we have published the top 50 attacking IP addresses.
- The destinations of attack traffic span the globe, presumably without bias. Wherever vulnerable IoT infrastructure is deployed, attackers are finding it. The most attacked countries were the U.S., Singapore, Spain, and Hungary.
- Attackers have already begun to use other methods of finding and compromising IoT devices, which we will profile in future reports.
- Despite broad awareness of Mirai, it’s growing in size. From June to December 2017, it grew significantly in Latin America and moderately in Europe and Asia.
- Persirai has slightly declined in size over the last six months, most notably in India and Central Asia.
To see the full version of this report, click “Download” below.
Source link
lol
We have already witnessed attackers evolving their methods and markets for making money with compromised IoT devices, just like legitimate businesses and financial markets do, and IoT is a rich, trillion-dollar market based on IDC’s estimations for 2020,* ripe with vulnerable devices waiting to be exploited. Every expectation should be set that attackers will continue…
Recent Posts
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’
- Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs