Cybersecurity Insights-13

Cybersecurity Insights-13

January 16, 2020 | Adeline Zhang

Distribution of IoT-based Family Samples

We analyzed IoT-based malicious family samples captured by NSFOCUS threat hunting systems (see Figure 7-1), those captured by NSFOCUS Threat Intelligence (NTI) and those captured by VirusTotal (see Figure 7-2). The two figures, though presenting different data sources, both indicate that Gafgyt and Mirai take the first two places on the top list. We can see that IoT-based malware families tend to behave in a similar way. This is likely due to the source code of Gafgyt and Mirai families being published on the internet and can be modified at will. Their variants mainly change the C&C address and attack method, which is what tools-kids always do. Arguably, most attackers are tool users, with little technical expertise.

The analysis of captured data shows that IoT-based botnets function as centralized services in a managed way. Most attackers can now simply rent DDoS services to launch attacks, without the need of building botnets on their own. Furthermore, malware developers continue to update their infection code with new exploitation methods, in a bid to compromise more botnet hosts to launch larger bandwidth attacks.

IoT-based Cryptomining

In April 2018, 200,000 MikroTik routers were hit by malicious attacks and compromised into participating in bot activity.

By October 2018, Coinhive had controlled over 26,000 IoT devices, most of which were MikroTik routers distributed in Brazil. IoT devices are difficult to upgrade and fix, which is a greatest challenge to overcome in securing the IoT.

As listed in 0, , the number of these IoT devices decreased compared with April 2018, but they still remain dangerous.

Analysis of the distribution of controlled IoT devices by type and vendor.

We found that over 90% of the IoT devices controlled by the Coinhive family were routers, 96% of which were MikroTik routers. See Figure 7-3.

As of April 2018, Brazil is home to the most MikroTik routers controlled by the Coinhive family. The vulnerability was discovered in March 2018 and by April massive cryptomining activities were seen throughout the country. By October, Coinhive had controlled a great number of IoT devices, which indicated that the IoT devices were not patched. Typical users have both a lack of security awareness in general and little knowledge about IoT devices in particular. It is bad enough that IoT vendors fail to provide automatic or other update mechanisms to ensure proactive security.

To be continued.