IoT devices are becoming the “cyberweapon delivery system of choice” by today’s botnet-building attackers and are set to become the next dark web says the latest report from US security firm F5.
The report tracks Telnet attack activity and, through a series of global maps showing infected systems, tracks the progression of Mirai, as well as a new thingbot called Persirai. The report also includes a list of the administrative credentials attackers most frequently use when launching brute force attacks against IoT devices.
Mirai systems in Europe — June 2017
Telnet attack activity grew nearly three time (280%) over the last six months, mainly from the massive growth due to the Mirai malware and subsequent attacks. However, the level of attacking activity at the moment doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it’s likely these thingbots are just ready and waiting to unleash their next round of attacks.
Almost all (93%) of the attacks occurred in January and February while activity significantly declined in March through June. This could mean that the attacker “recon” phase has ended and that the “build only” phase has begun.
The top attacking country in this reporting period was Spain, launching 83% of all attacks, while activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume. The top 10 attacking IP addresses all came from one hosting provider network in Spain: SoloGigabit.
SoloGigabit was the source of all attacks coming from Spain in this period. Given that SoloGigabit is a hosting provider with a “bullet proof” reputation, F5 assumes this was direct threat actor traffic rather than compromised IoT devices being forced by their thingbot master to attack.
Although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks and to host banking trojan infrastructure. IoT devices have also been subject to hacktivism attacks, and are the target of nation-state cyber warfare attacks.
The Persirai, development shows attackers are now building thingbots based on specific disclosed vulnerabilities rather than having to launch a large recon scan followed by brute forcing credentials.
From a manufacturing and security perspective, the state of IoT devices hasn’t changed. In the short term, IoT devices will continue to be one of the most highly exploitable tools in attackers’ cyber arsenals, and thingbots will continue to be built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers, says the company.
- prpl Foundation teams with CABA for MIPS-based security in the home
- Micron sees IoT security through memory (via Microsoft Azure)
- Four trends driving IoT in 2017
- Intel McAfee security deal is all about the IoT this time
- Using Static Analysis to Improve IIoT Device Security
- ST launches cloud connected IoT dev kit
- Microsoft boosts security to offer IoT-as-a-service...
- Edge analytics vital for security says Greenwave
- Low cost crypto chip to secure the Internet of Things...