IoT fueled-botnets are a bit like the hacking equivalent of a homemade bomb. They are relatively simple to make yet can cause immense damage when leveraged for distributed denial-of-service attacks (DDoS), as last year’s Mirai botnet illustrated. “DDoS is probably the absolute simplest thing you could possibly do with such power in your hands,” said Nadir Izrael, CTO of the IoT security startup Armis.
But while Mirai was able to overwhelm networks owned by internet giants such as Amazon, Twitter, Netflix and others, a new IoT botnet, known alternately as Reaper or IoTroop, could be many times stronger. Early reports suggest that the botnet has already hit more than 1 million organizations and that more than 2 million IoT devices are waiting in the queue of the botnet's command and control servers.
“In any case, 2 million is a staggering number,” said Izrael. “Reaper is not the only botnet around, but, probably, it is the biggest that has been detected so far.”
It’s not yet clear, however, how the botnet might be used — whether it will be used to fuel a DDoS attack, corporate network surveillance or as an anonymity network to help hackers hide their tracks.
The sheer scale of the botnet is evidence that the hackers behind the attack are likely a coordinated bunch, said Peter Tran, general manager and senior director at RSA Security. While the botnet leverages code from Mirai and other malware sources in a crowd-sourced-like fashion, its method of recruiting IoT devices by leveraging common vulnerabilities such as CVE-2017–8225 is efficient and nimble.
While attribution is notoriously difficult for cyberattacks, the Reaper botnet represents an evolution of sorts over Mirai. Its modus operandi is more sophisticated. Rather than simply looking for weak or default telnet passwords, it seeks to exploit an evolving list of vulnerabilities in IP cameras, digital video recorders and network video recorders.
While the botnet may work differently than Mirai, the range of device types that Reaper targets is similar. “The reason that DVRs and IP cameras keep coming up in botnets is that they have a need for direct network access and they are usually running a very old operating system. It could be an old version of Android, but it is mostly [an outdated] version of Linux,” Izrael said. “You would be amazed at how many devices from prominent manufacturers are running ancient operating systems, and they rarely, if ever, get patched. If this happens with mainstay devices, you can imagine what happens with DVR and IP cameras from second-tier companies.”
It just so happens that many of the affected devices are used in commercial settings. “It is sort of a misconception that this is a consumer problem,” Izrael noted.
Ultimately, the two most worrisome aspects of Reaper are that it suggests that the state of IoT security has barely budged since a year ago when Mirai struck and the fact that such botnets are difficult to detect. “The Mirai spurred board-level discussions around [whether] organizations would even know if one of their networked devices had been recruited into the botnet,” Izrael said. “If I were to tell you that a smart thermostat in an organization is transferring 1 GB of data outbound to a cloud environment, would you know if that is normal or not? Most people have no idea if that would be a normal operation or not. Even companies with entire security teams that are very capable are still struggling with questions like that.”