Last year, an IoT botnet called Mirai that enslaved roughly 100,000 devices managed to shut down a chunk of the internet by targeting DNS provider Dyn. Amazon, Twitter and Reddit were all overwhelmed by its traffic. Now, there is a quickly growing botnet, known as IoTroop or Reaper, that is growing to be much broader in scope.
What do you make of the scale of the botnet and its level of sophistication?
Ofer Amitai: According to reports, the IoTroop/Reaper botnet is still in the recruitment stage and continually infecting more devices, so it’s still hard to determine the scale, but Check Point posits that its impact could be far-reaching, maybe even more so than Mirai. Currently, Check Point and the Chinese cybersecurity firm Qihoo 360 estimate that millions of devices from the United States to Australia have been affected. Qihoo found that multiple botnets controlling computing servers are being used by the hackers to communicate with up to 10,000 compromised devices each day, recruiting new devices that have been identified to contain one of the nine vulnerabilities.
As for its level of sophistication, the IoTroop/Reaper thingbot attack seems to be more sophisticated, or at least different, than the Mirai attack. Both Qihoo and Check Point suggest that IoTroop/Reaper is based partially on Mirai code, but the former has already proven to be better at the recruitment phase as well as disguising itself from IoT security solutions. However, at the moment, both organizations postulate that IoTrooper/Reaper can live in harmony with Mirai, [whereas] Mirai itself … wiped out a prior malware strain known as Qbot. There are currently nine known vulnerabilities that are being exploited on up to 12 different IoT devices including IP cameras and DVRs.
Experts from both Check Point and Qihoo 360 suggest that this attack has the potential to bring down the internet, if it is able to recruit enough “zombie” thingbots to disseminate the malware on vulnerable IoT devices all over the world.
Is there a way to infer the intent of the authors of this attack at this point or is it still too early?
Amitai: At the moment, it’s still too early to know intentions of the authors, or who they even are. None of this information has been published. However, if you look at the goals of hackers who created and distributed IoT malware leading to DDoS attacks in the past, it seems that one of the more obvious goals is to outsmart the previous attacker – in this case, the author of Mirai. Because IoTroop/Reaper’s code is partially based on Mirai, the same group of hackers could be responsible, although Mirai’s source code is freely available online. The attack is still in the recruitment phase, which means that there is no discrimination or a clear behavior pattern that is evident. Once the hackers have recruited enough “zombie” devices to their arsenal, they may command these devices to carry out DDoS attacks, in which case the intents and targets of the attack should be revealed.
What does it mean that the attack focuses on IoT software vulnerabilities rather than exploiting default or weak login credentials?
Amitai: One of the vulnerabilities that allowed for Mirai to occur was that the compromised IoT devices either used no passwords or publicly available factory default settings for their telnet credentials. The Shodan IoT search engine is just one example of where these credentials are readily available, even for specific IP addresses. This time around, the hacker or group of hackers knew that they couldn’t use the same telnet credential scheme to infiltrate and commandeer vulnerable devices, as many of those default and factory settings have been changed (hopefully). Instead, IoTroop/Reaper looks for vulnerabilities in the IoT devices’ software, with the potential to wreak more havoc than imaginable following Mirai.
How big of a threat is Reaper for the enterprise? How can enterprise companies know if they have been hit?
Amitai: While the scope and potential risk arising from IoTroop/Reaper is still unknown, enterprises should absolutely take note. There is no need to panic at this point, but, on the other hand, all wireless IP security cameras, and particularly the brands GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys and Synology should be examined for vulnerabilities, or patched with firmware upgrades where available. Older versions of these devices should be discontinued in favor of more current, and patchable devices.
Enterprise companies should use a threat detection solution to determine if their IoT devices are vulnerable (according to the published list of vulnerabilities). In addition, now is the time to deploy a network visibility solution that provides essential endpoint information on IoT devices and discovers them on the network. One of the pitfalls of IoT security is that the devices often aren’t registered as managed endpoints on the network, making it more difficult to manage their security status including firmware and version upgrades. Consult with a cybersecurity expert if you think that your IoT devices have been compromised and do not disconnect infected IoT devices because this action may help the thingbot infection spread.