Annual IoT Security Report 2019-10

Annual IoT Security Report 2019-10

December 15, 2020 | Adeline Zhang

IoT Exploits

Viewpoint 3: Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. Attackers were keen on targeting devices (routers and video surveillance devices) exposed in large quantities, so as to broaden their influence.

Based on the logs generated by NSFOCUS’s threat hunting system from May 6 to November 6, 2019, we made an analysis of global IoT exploits.

Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Obviously, from the perspective of global IoT threats, though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. We counted all logs generated one day for the same source IP address as one attack event. Upon deduplication of attack IP addresses, we got top 10 most frequently exploited IoT vulnerabilities listed in descending order of the number of exploitations in Table 3-1. It can be seen that attackers’ exploits mainly targeted routers and video surveillance devices, which fits in with the fact that routers and video surveillance devices were major IoT devices exposed on the Internet. Evidently, attackers hit devices exposed in large quantity to expand the scope of impact. The PoC of most of these vulnerabilities can be found in the Exploit-DB and those beyond this database existed in GitHub. These publicly available PoCs have substantially reduced attackers’ cost of crafting attack payloads.

Upon deduplication of source IP addresses indicated in logs, we found that about 35% of these IP addresses exploited vulnerabilities. From daily changes in the number of deduplicated source IP addresses shown in Figure 3-3, attackers were relatively active in late May, early June, and July.

After data deduplication, we analyzed the global distribution of source IP addresses. As shown in Figure 3-4, China was home to most malicious IP addresses, about one order of magnitude higher than other countries following it such as Brazil, the USA, and Russia. In China, up to 20,000 IP addresses initiated exploits, 85% of which resided in Taiwan. Of these exploits, nearly 90% targeted the same UPnP vulnerability (CVE-2017-17215). Section 4.4.3 provides an analysis of malicious behaviors based on UPnP-related vulnerabilities.

Most exploit payloads we captured contain a snippet of code used to call system commands (such as the wget and tftp commands) to download and execute malicious programs. We can obtain sample download addresses from the payloads delivered by attackers. Most servers on which such samples resided were located in the USA (15.9%), as shown in Figure 3-5.

To be continued.