Old IoT vulnerabilities – a botnet gift that keeps on giving

Jan 10th, 2019

The first thing anyone purchasing any device that connects to the Internet should do upon switching it on for the first time, is immediately update it. If you don’t, you risk having it hijacked by a botnet.

So says Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions. He warns that it’s not only obvious IoT devices like fitness wearables and watches that are at risk; so are commonly overlooked devices like IP cameras and cable modems.

According to Hamman, new research from Arbor’s Security Engineering & Response Team (ASERT) reveals that while IoT device makers are starting to develop more secure devices, so IoT botnet authors are turning their attention to exploiting the existing vulnerabilities in older devices.

The ASERT honeypot1 November 2018 report noted that existing IoT vulnerabilities were being used as a means to deliver malware, which is then often conscripted into a DDoS army. And as the 2016 DDoS Mirai attacks showed, a large IoT botnet can create havoc.

“As far as IoT botnet authors are concerned, it seems that older vulnerabilities are effectively a gift that keeps on giving. As soon as a vulnerability is made public, botnet authors integrate it into their botnet and use this, along with their standard brute force tactic, to quickly build what could be the next potentially lethal DDoS army,” Hamman says.

In fact, the ASERT research clearly indicated that the use of existing and known IoT-based vulnerabilities has made it far easier for botnet authors to increase the number of devices within their botnets.

“Even if the device delivered by the manufacturer has been secured against all known vulnerabilities, the device itself is likely to sit on the resellers shelf for a while before it is sold, switched on and connected. By that time, a whole host of additional vulnerabilities, against which the device has not been secured, have emerged. The device is thus vulnerable to attack, until its software is updated,” Hamman adds.

A major problem is that the time taken for an attack to occur is frighteningly short. Earlier ASERT research shows that it can take just a few minutes from the time a device is switched on and connected to the Internet, before it is being scanned and subjected to attempted brute-force logins.

One of the reasons this modus operandi works for botnet authors is the glacial pace at which IoT devices – often referred to as “set and forget” devices – receive security patches. As the authors of the new ASERT report ask: “When’s the last time you updated your IP camera?”

Many botnet authors make a point of seeking to exploit vulnerabilities that are specific to IoT devices. An example is the infamous Mirai malware which emerged in late 2016, but is still going strong, with numerous Mirai variants also having emerged since then. This is largely because of Mirai’s success in exploiting mundane factory-installed usernames and passwords.

In his recent NETSCOUT Arbor blog, Matthew Bing, who reverse-engineers malware and maintains NETSCOUT Arbor’s honeypot operations[1] listed the most popular username and password combos used by malware authors. These included such obvious ones as “admin/admin” and “guest/12345”. You can read the list of some of the others, as revealed by NETSCOUT Arbor, here.

In all, however, NETSCOUT Arbor has identified some 2 070 unique user name and password combos that are commonly used by botnet authors as part of their attack arsenal.

Arbor’s November honeypot report notes that although Mirai-related attacks are no longer directly only at IoT devices, the onslaught against Hadoop YARN, described in in “Mirai: Not Just For IoT Anymore” continued.

While the Hadoop YARN attack is a relatively new phenomenon, NETSCOUT Arbor also identified the new, and extremely worrying trend, of attempted exploitation of older IoT vulnerabilities such as CVE-2014-8361, CVE-2015-2051, CVE-2017-17215 and  CVE-2018-10561  arising from a variety of unique sources in order to deliver variants of Mirai.

CVE-2014-8361, for example, was first publicly disclosed in April 2015 and has been used in a number of IoT botnets including the high profile Satori and JenX.

Hamman predicts that the emerging trend towards the exploitation of known, older IoT vulnerabilities will continue, and possibly accelerate, in 2019.

“One way in which this trend could be slowed and possibly reversed is for IoT device manufacturers seriously consider placing prominent warnings on all their devices advising customers to update the device’s software immediately, and to continue to do so on a regular basis thereafter. Without a concerted effort from all players in the IoT chain, the next major DDoS attack may make the 2016 Mirai exploit pale by comparison,” he concludes.

For more information about NETSCOUT Arbor in Africa, please contact Bryan Hamman at [email protected].

The terabit era: get ready for bigger DDoS attacks

Dec 7th, 2018


When it comes to mitigating distributed denial of service (DDoS) attacks, security professionals have long been concerned about the growing volume and frequency of such incidents. NETSCOUT Arbor, which specialises in advanced DDoS protection solutions, says that, with thousands of attacks reportedly underway across the world at any given time, large institutions have had to steel their defences against what is for many a daily event. This is according to Kevin Whalen, senior director: corporate and marketing communications at NETSCOUT Arbor.

Whalen reports that, in the recently released NETSCOUT Threat Landscape Report, researchers observed that the frequency of attacks had actually declined between 2017 and 2018. However, this is offset against another significant trend: attacks are multiplying in size, often far exceeding what many service providers consider a safe defensive capacity. According to NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), the maximum size of DDoS attacks increased 174 percent in the first half of 2018 over the same period in 2017.

In February this year, DDoS entered the terabit era.

Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, says, “As has been previously reported, the largest attack ever witnessed, at 1.7 Tbps, struck a large North American service provider, Github, in February 2018. Fortunately, the customer’s well-designed architecture and their incident response preparedness, combined with their multi-layered NETSCOUT Arbor DDoS solution, meant that they were able to successfully defend against the attack with no downtime. However, this act shows us that defences designed to counteract incident in the 300 Gbps range are no longer adequate. Even an infrastructure with a one terabit defensive capacity is at risk.”

According to Whalen, this record-breaking attack is an example of the Memcached-based strikes that have arisen over the last year, so identified because they exploit vulnerabilities in memory caching servers used to accelerate data access for websites. Well-known cache engine, Memcached is free, open source software frequently deployed in cloud service infrastructures and enterprise networks with the effect of increasing bandwidth. The actors behind the February attack uncovered a design flaw in the Memcached software package that enabled them to take advantage of large amounts of service-provider bandwidth to build and launch an attack of unprecedented scale.

NETSCOUT Arbor advised that, based on publicly available information on Memcached installations worldwide, at the end of February 2018, there were around 50,000 unsecured Memcached installations on the Internet that could be used as DDoS reflectors (whereby reflection denial of service attacks make use of potentially legitimate third party components to send the attack traffic to a victim, ultimately hiding the attacker’s own identity). In the weeks following the large attacks, this number dropped very quickly down to 20,000 and then gradually declined further to around 3,500 installations. Data from the ATLAS Intelligence Feed from NETSCOUT Arbor on Memcached attacks showed that, by and large, the attack frequency has remained flat since March this year.

“The trend toward larger incidents once again reinforces the case for a hybrid or layered defence posture that combines on-premise and cloud mitigation capabilities. Such a hybrid defence position is NETSCOUT Arbor’s consistent best-practice advice. Everyday compromises are still relatively small and can usually be detected and mitigated with an on-premise solution.

“However, the rise of the terabit attack means it’s essential to have a cloud-based component with the capacity to mitigate attacks of such size. Cloud-based defences can be instantly activated when the on-premise component detects an attack of significant magnitude. The terabit-sized DDoS outbreak has arrived, and it will re-surface again in the future. The threat is real, and we must be ready,” concludes Hamman.

For more information about NETSCOUT Arbor in Africa, please contact Bryan Hamman at [email protected].