“A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”.
- Oxford definition for the Internet of Things
It’s considered as the next step in the evolution of the Internet and offers many advantages and opportunities as well. The problem is the bad guys know it too. Using the fast emerging IoT, hackers can take control of vast amount of hardware to send out their malicious attacks.
The rush to connect everything and launch smart products has somehow brought people to almost completely neglect the security aspects of all those smart things. Security, if it’s considered at all, is often an afterthought for IoT devices. This big scale oversight has everyone more susceptible to cybercrime, regardless if they own IoT devices.
Unsecured IoT devices are easily recruited into malicious botnets to launch DDoS attacks. One such example was recently reported by Sucuri, where they mitigated a DDoS that leveraged over 25 000 CCTV devices which peaked at 50 000 HTTP requests per second.
Given that IoT device users often deploy them while keeping the generic passwords, usually the same for entire classes of devices, hackers use softwares armed with specific lists of usernames and passwords to brute-force crack into the devices and gain control over them. Due to the very nature of these devices, an infection in a long-forgotten CCTV for example, can take a long time before the owner of the infected device notices any anomalies.
That’s why developers of DDoS toolkits can potentially build up a botnet army comprising of a number of infected devices that dwarfs anything possible by traditional PC-based botnets.
The experts at Level 3 Threat Research Labs have been tracking a family of malware that targets IoT devices with the intent of creating DDoS botnets. They reported that hackers have been using LizardStresser variations, that go by many names such as Lizkebab, BASHLITE, Torlus and gafgyt, to recruit their IoT botnets. The source code for the malware was leaked in early 2015 and has since been spun off into many variants.
The botnets expand by scanning for vulnerable devices in order to install the malware. Two primary models for scanning exist:
- Instructing bots to port scan for telnet servers and attempting to brute force the username and password to gain access
- Using external scanners to find and harvest new bots
The latter model which is growing in popularity, adds a wide variety of infection methods, and often scans directly from the command-and-control (C2) servers.
Lately, researchers from MalwareMustDie have also reported a newly discovered and still poorly detected piece of Linux malware, called Mirai, being used to hijack IoT devices into DDoS botnets. Mirai is considered to be a direct descendant of an older, previously mentioned Trojan known as Gafgyt.
There has been a variety of malware implementations from different actors with infection vectors, scanning methods and overall sophistication expected to evolve.
IoT Bot Landscape
IoT devices are being increasingly targeted by hacking organisations like Lizard Squad and Poodle Corp with the intent of building botnets to launch DDoS attacks. These massive botnets are then used for their own malicious agendas or even rented to other individuals, which is also known as DDoS-as-a-Service.
So far, IoT bot herders are favoring security camera DVRs as targets mainly because they are often left configured with default credentials, making them easy prey for hijackers. This kind of devices come with enabled telnet and web interfaces, and when combined with bandwidth required to stream video they become a powerful class of DDoS bots.
Geographically, of the IoT bots observed by Level 3 and reaching more than 1 million devices, a large percentage are located in Taiwan, Brazil and Colombia. A vast majority were using white-labeled DVRs along with DVRs manufactured by Dahua Technology.
As for device types of the observed botnets, almost 96 % were IoT devices (mainly cameras and DVRs), 4 % were home routers and less than 1 % were compromised Linux servers. It’s a major change from traditional server and home router based DDoS botnets. It all points to the conclusion there’s a huge shift going on in the composition of botnets.
Command and Control Servers (C2s)
The C2 used in IoT based DDoS attacks have their IPs hard-coded into the malware, often specifying only a single IP address, in contrast to more sophisticated malware, which utilizes a variety of techniques to provide higher resiliency.
The overall lack of sophistication is not a concern for IoT bot herders because it’s quite easy for them to create a new C2 and re-compromise their bots. Many of these botnets are capable of producing powerful attacks as large as hundreds of gigabits per second.
Level 3 Threat Research Lab also reports a huge variation in terms of C2 controlled bots. With the median C2 controlling 74 bots but the largest C2 communicating with nearly 120,000 bots and we expect the number of bots to actually be higher.
IoT Based DDoS Anatomy
After the attacker manages to gain control over the device, they do not bother to identify the architecture of it as they immediately execute both the “busybox wget” and “wget” commands (small applets that run in the background of Linux systems) to retrieve DDoS bot payloads. It’s then they run multiple versions of the malware constructed for various architectures (up to 12), until one executes.
IoT DDoS attacks targets are mostly residential users, but also popular gaming platforms and sites. The majority of the attacks were simple UDP and TCP floods. High bandwidth attacks are more likely to run UDP floods which are also more common, while high packets-per-second attacks launched mostly TCP floods and are decreasing in popularity. Some variants also support HTTP attacks. Even if it’s supported, spoofing of source addresses was rarely used with these malwares.
It’s important to note how reflected attacks are absent from this type of attacks. That’s why perpetrators use multiple families of malware, it allows them to broaden their arsenal.
When talking about the duration of IoT DDos attacks they are fairly short-lived, with the median duration just over 2 minutes, and 75 % of attacks under 5 minutes.
How To Defend
The rise in the number of compromised IoT devices paired with an alarmingly low level of security standards within the IoT world has brought OWASP to react and launch yet another security project. As stated on their official page, the OWASP Internet of Things (IoT) Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.
Until a comprehensive guide is completed there are some security measures available to IoT administrators in order to secure their devices:
- Access Control List (ACL) - If permissions are not specified by the manufacturer, it should be done as soon as possible. Extreme caution is recommended when configuring read/write permissions.
- SNORT - Useful open source program for the layer-7 Get flood.
- YARA Rules - A tool that helps identify and classify classify files or running processes to determine what family the malwares belong to.
The abuse of IoT devices for botnet misuse is nothing new, but as they become more frequent, IoT based DDoS botnets are sure to increase in number and power. While hosts and home routers continue to be targeted, hackers will most likely follow the easier path. Instead of spending more energy on traditional bot hosts, they’ll take advantage of the abundance of insecure IoT devices. Even though IoT platforms as launching pads for DDoS attacks are reported in small numbers and only a few attacks have been launched and with relatively insignificant impact, as IoT becomes more present and more standardized - more and more opportunities and higher levels of sophistication are arising for cybercriminals.
Vendors of IoT devices should work to improve their security to control this growing threat. However, if you have one of these devices, standard security best practices advice applies. Some types of IoT devices don’t allow you to configure what services are exposed, and some use hardcoded credentials that can’t be changed, leaving owners with few options. It’s why researching the capabilities of these devices before purchase is just as important as their operation after they are deployed. Until IoT device manufacturers start improving their security standards and device owners stop connecting them insecurely to the internet, the trend is expected to continue to grow.
If you are suspecting a DDoS attack or bot abuse, contact our experts to find the quickest and most suitable solution.