On the heels of severe Distributed Denial of Service (DDoS) attacks, new Internet-of-Things (IoT) powered botnets are emerging. There are already hundreds of such botnets which exist in the underground hacking ecosystem, where services, code, and specific attacks can be purchased or acquired. New botnets are being developed to meet the growing demand and to circumvent anticipated security controls.
The latest IoT botnet
Researchers have spotted a new IoT botnet called Linux/IRCTelnet. In just 5 days it infected 3500 devices and features an old-school adaptation: using Internet Relay Chat (IRC) as the command and control structure. IRC is a very old technology based upon original chat-boards of the Internet (pre world-wide-web). Many of the original botnets used IRC, a decade ago. It is not particularly difficult to undermine for security software, therefore represents an interesting choice by the attackers, whom I assume are not top-tier (ie. not nation state level).
Linux/IRCTelnet is not based upon the popular Mirai IoT DDoS botnet software, but rather Aidra code. It does however leverage default passwords of IoT devices to gain control. It is just the easiest path at the moment. Attackers will evolve as that door closes, so don’t get too excited and think we can ‘solve’ IoT security with the elimination of default passwords. It is just one chess-move in a long game we are begrudgingly forced to play. Although this Linux bot is still new and small, it could hold potential for more directed attacks and highlights how malware writers are working to differentiate their attack code.
More targets will be explored.
We are already seeing a broad diversity of different telecommunications, political, business, Internet infrastructure, and social sites being targeted. The latest is an attack against the internet access for the country of Liberia. Access to the web has been spotty for customers with attackers at times pushing over 600 Gb/s of data to choke the network. Most access is provided by the African Coast to Europe (ACE) undersea cable and these attacks could affect many other nations in West Africa who rely on this data pipeline.
What comes next?
Expect many more entry-level botnets, which will eventually be supplanted by more professional malware. Thus far, most of the IoT botnets have been basic. This will change as more professional and well-funded players emerge.
Look for the pro’s to do the following when they come into this space:
- Patch/change-passwords of the victim IoT devices after infection, so others can’t take over their prey
- Setup more sophisticated and concealed Command and Control (C2) structures to make it more difficult to track bot-herders or interfere with their control
- Implement encrypted communications to the end-nodes, to conceal instructions, updates, and new targeting instructions
- Begin exploiting OS/RTOS vulnerabilities on higher-end devices to gain more functionality and persistence
- Begin siphoning data from IoT devices, which can be valuable for many different purposes, including extending attacks further into homes, businesses, and governments
I predict the next phase of availability attacks will begin right around the time the industry reaches the tipping point in addressing the ‘default’ password weaknesses. Then confidentiality attacks, followed by integrity compromises will come. Brace for a long fight as IoT devices are highly coveted by attackers. This matchup should be exciting as it unfolds!