2020 H1 witnessed nine Internet of Things (IoT) security events that deserved close attention:
- Ripple20 0-day vulnerabilities were discovered and affected hundreds of millions of networked devices in various industries across the globe.
- A high-risk 0-day vulnerability was detected in dozens of Netgear router products.
- A group of Industrial Control System (ICS) honeypots attracted four 0-day attacks.
- A critical remote code execution (RCE) vulnerability affected millions of network devices based on OpenWrt.
- Hackers exploited 0-day vulnerabilities in DrayTek devices to launch attacks on enterprise networks.
- Hackers hijacked a smart building access system and could launch distributed denial-of-service (DDoS) attacks on devices accessible via networks.
- Millions of devices using LoRaWAN were vulnerable to hacker attacks, and nodes, gateways, and servers in the LoRaWAN network were prone to critical vulnerabilities. Therefore, their security protection capabilities remained to be improved.
- Hackers divulged Telnet credentials of over 500,000 devices.
- Researchers discovered LiquorBot, which was a new botnet with the cryptomining function.
In 2020 H1, Exploit-DB recorded a total of 84 new IoT-related exploits, which mainly involved vulnerabilities in network device vendors represented by Netgear. In our opinion, the reason was that top network device vendors usually sold devices in large numbers and researchers paid more attention to their devices. Exploits were dominated by RCE and denial-of-service (DoS). The RCE vulnerability was the most, accounting for more than 35% of the total.
In 2020 H1, NSFOCUS’s threat hunting system captured 26,998,718 access request logs from 266,632 IP addresses. 12.98% of the access requests were malicious attacks that exploited IoT vulnerabilities. Most vulnerabilities exploited by attackers had exploit scripts available in Exploit-DB. The most exploited vulnerabilities included the D-Link device vulnerability (CVE-2015-2051) and the MVPower DVR vulnerability (EDB No.: 41471). Analysis of source IP addresses found that 159,679 IP addresses, which accounted for 59.89% of the total, performed exploits and other malicious actions.
IoT Security Trend
Analysis of Critical IoT Security Events
(1) Ripple20 0-day vulnerabilities were discovered and affected hundreds of millions of networked devices in various industries across the globe.
JSOF, an Israeli cybersecurity company, warned on Tuesday that critical vulnerabilities affected the Treck TCP/IP stack and hundreds of millions (or even more) of IoT devices across the globe might suffer remote attacks. The vulnerabilities affected various sectors, including consumer goods, health care, data centers, enterprises, telecommunications, oil, gas, nuclear power, transportation, and many other critical infrastructure sectors.
Treck TCP/IP is a high-performance TCP/IP suite that is designed for embedded systems. JSOF researchers detected that the product contained 19 0-day vulnerabilities affecting the proprietary implementation of Treck network protocols. These vulnerabilities were reported in 2020, so they were dubbed Ripple20.
(2) A high-risk 0-day vulnerability was detected in dozens of Netgear router products.
In June 2020, security researchers discovered an unfixed high-risk 0-day vulnerability in a large quantity of Netgear router firmware. The vulnerability exposed 79 types of Netgear devices to the risk of root privilege being taken over. What’s worse, no patch is available for the vulnerability. According to a report from the Zero Day Initiative (ZDI), “The specific flaw exists within the httpd service, which listens on TCP Port 80 by default”. Netgear R6700 routers were prone to the vulnerability… “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.”
The ZDI report added that no authentication was required to exploit the vulnerability and attackers could exploit the vulnerability to obtain root privileges.
ZDI said that it had informed Netgear of the vulnerability but Netgear has failed to provide patches for affected devices. Netgear had requested to postpone disclosing the vulnerability to the end of June, but ZDI rejected it.
Nichols, one of the vulnerability discoverers, said that he initially discovered the vulnerability in Netgear R7000 routers and finally found 79 kinds of Netgear devices and 758 firmware images that included a vulnerable copy of the web server. The affected product firmware dated back to 2007 (WGT624v4, version 2.0.6).
(3) A group of Industrial Control System (ICS) honeypots attracted four 0-day attacks.
Recently, in order to delve into security threats facing the current ICS, researchers used a fake industrial infrastructure network consisting of 120 highly interactive honeypots that were deployed in 22 countries and regions and simulated programmable logic controllers (PLCs) and remote terminal units.
Within 13 months, attackers had 80,000 interactions (mainly scans) with the honeypots, nine of which used an industrial protocol maliciously.
Though a small number, four of the nine malicious interactions used the ever unknown attacks (0-day vulnerability attacks), one of which was the first use of a proof of concept (PoC) attack in the wild.
Device manufacturers were informed of the attacks detected by the honeypots, including DoS attacks and command replay attacks.
(4) A critical remote code execution (RCE) vulnerability affected millions of network devices based on OpenWrt.
Earlier this year, Guido Vranken, a security expert at a software company called ForAllSecure, discovered a critical vulnerability in OpenWrt, a Linux-based operating system for network devices.
This critical RCE vulnerability (CVE-2020-7982) affects a wide range of network devices, including routers and residential gateways, which run Linux-based OpenWrt.
The vulnerability exists in the OPKG package manager of OpenWrt, related to the method of checking the integrity of downloaded packages using the SHA-256 checksums embedded in the signed repository index.
(5) Hackers exploited 0-day vulnerabilities in DrayTek devices to launch attacks on enterprise networks.
According to a NetLab report, at least two independent hacker groups exploited two critical remote command injection vulnerabilities (CVE-2020-8515). These vulnerabilities affected DrayTek Vigor enterprise switches, load balancers, routers, and VPN gateway devices. Thus, attackers could intercept network traffic and install backdoors.
0-day attacks originated in late November or early December of 2019 and might potentially affect thousands of DrayTek switches as well as Vigor 2960, 3900, and 300B devices that have not been patched with the latest firmware updates released in February.
(6) Hackers hijacked a smart building access system and could launch DDoS attacks on Internet-accessible devices.
On February 2, 2020, ZDNet published a report, disclosing that hackers hijacked a smart building access system to launch DDoS attacks. The smart building access system was Linear eMerge E3. The reason why hackers attacked the device was that, in November 2019, Applied Risk disclosed the scripts about exploiting the RCE vulnerabilities concerning the device, but the access control system did not fix relevant vulnerabilities. On January 9, 2020, hackers launched attacks on the device for the first time and used the device for DDoS attacks.
As an important part of household and enterprise protection systems, building access control systems, if vulnerable, would pose huge threats to individual and enterprise security. Security device vendors must follow security standards in the process of device R&D, manufacturing, and maintenance, fix device vulnerabilities promptly, and work out real-time upgrade policies to avoid serious consequences.
(7) Millions of devices using LoRaWAN were vulnerable to hacker attacks, and nodes, gateways, and servers on the LoRaWAN network were prone to severe vulnerabilities. Therefore, their security protection capabilities remained to be improved.
On January 28, 2020, IOActive, a cybersecurity company, released a report saying that millions of LoRaWAN devices could be attacked. The report analyzed the security of end devices and gateways on the LoRaWAN network and pointed out that the secret keys of nodes could be repeatedly used and that fake devices could be leveraged to send arbitrary messages. Many servers were found to use weak passwords.
With the growing needs for smart office and smart security and protection deployment in enterprises, enterprises have an increasing demand for such low-powered networks that can be freely established. LoRaWAN nodes, gateways, and servers are thus at risk of cyber threats. Enterprises need to attach more importance to the security of LoRaWAN gateways and servers so as to prevent hackers from forging LoRaWAN nodes to launch attacks on the gateways and servers.
(8) Hackers divulged Telnet credentials of more than 500,000 devices.
On January 19, 2020, a foreign media outlet called ZDNet released news saying that hackers divulged Telnet weak passwords of more than 510,000 servers and IoT devices. Since the list of the weak passwords was from October to November 2019, we are not sure whether the weak passwords are still valid at present.
Telnet is an insecure service. IoT devices and legacy servers on the Internet using weak passwords, once identified by attackers through scanning, will be exploited by them at will. Once all the devices are hacked, tremendous threats will occur. Device management companies and workers need to guarantee the passwords are strong enough. If the devices permit, use SSH instead of Telnet for remote access, and configure key-based authentication for login.
(9) Researchers discovered LiquorBot, a new botnet with the cryptomining function.
On January 7, 2020, Bitdefender, a foreign cybersecurity company, published news announcing to discover LiquorBot, a new cryptomining botnet spread via IoT devices. The botnet contains many versions of processor architecture (ARM, ARM64, x86, x64, MIPS), spreads by exploiting SSH weak password services and RCE vulnerabilities, and even uses Mirai-related C2 servers.
There is certainly a large number of botnets spread based on weak passwords and RCE vulnerabilities. Enterprises should be poised to protect against botnets, especially DDoS. Device management vendors need to ensure that their device firmware is up-to-date and use strong device passwords.
Information About Newly Added IoT Vulnerabilities
In 2020 H1, Exploit-DB recorded a total of 84 new IoT-related exploits. Netgear, TP-Link, Cisco, D-Link, and Edimax ranked top 5 in terms of the number of exploits and are all network device vendors. Besides, a large number of vendors had only one exploit. In our opinion, the large number of exploits does not necessarily mean that related vendors’ devices are of poor quality. The reason was that top network device vendors usually sold devices in large numbers and researchers paid more attention to their devices. Figure 2-1 shows the distribution of exploits by vendor.
Figure 2-1 Distribution of exploits by vendor in 2020 H1
Exploits were dominated by RCE and DoS, with the former taking the first place, accounting for more than 35% of the total. RCE vulnerabilities have severe impact and exist in large numbers. Therefore, Exploit-DB declares RCE vulnerabilities as a weapon favored by botnets. Figure 2-2 shows the distribution of exploits by type.
Figure 2-2 Distribution of exploits by type in 2020 H1
IoT Vulnerability Exploits
In 2020 H1, NSFOCUS’s threat hunting system captured 26,998,718 access request logs from 266,632 IP addresses. Of all these requests, 12.98% were malicious attacks launched by exploiting IoT vulnerabilities. In 49.62% of the access requests, we identified suspicious Linux command execution, WebShell scanning, HTTP agency detection, and other behaviors.
As shown in the following figure, attacks on IoT vulnerabilities were on the rise as a whole.
Figure 2-3 Trend of the total count of attack source IP addresses
We analyzed IoT exploits and listed the most exploited vulnerabilities in the following table. Most vulnerabilities exploited by attackers had exploit scripts available in Exploit-DB. The most exploited vulnerabilities included the D-Link device vulnerability (CVE-2015-2051) and the MVPower DVR vulnerability (EDB No.: 41471).
Table 2-1 Top 10 Most exploited vulnerabilities
|Vulnerability||CVE or Exploit-DB ID||Quantity|
|D-Link Devices – HNAP SOAPAction-Header Command Execution (Metasploit)||cve-2015-2051||1,175,804|
|MVPower DVR TV-7104HE 1.8.4 115215B9 – Shell Command Execution (Metasploit)||edb-41471||1,059,978|
|Sony IP Camera Scan (possibly related to CVE-2018-3937/3938)||CVE-2018-3937||558,756|
|AVTECH IP Camera / NVR / DVR Devices – Multiple Vulnerabilities||edb-40500||165,919|
|Eir D1000 Wireless Router – WAN Side Remote Command Injection (CVE-2016-10372)||cve-2016-10372||74,845|
|ZTE ZXV10 H108L Router with <= V1.0.01_WIND_A01 – RCE Root Exploit||42,034|
|Realtek SDK – Miniigd UPnP SOAP Command Execution (Metasploit) CVE-2014-8361||cve-2014-8361||25,071|
|TVT NVMS 1000 – Directory Traversal||edb-48311||16,157|
|Oracle WebLogic – wls-wsat Component Deserialization Remote Code Execution (Metasploit)||cve-2017-10271||9167|
Analysis of IoT Threat Attack Sources and Events
Analysis of the 266,632 source IP addresses in honeypot logs finds that 159,679 IP addresses, which accounted for 59.89% of the total, performed exploits and other malicious actions. IP addresses associated with malicious actions were distributed in 201 countries and regions. China had the most malicious IP addresses, accounting for 23.6% of all malicious IP addresses.
Figure 2-4 Geographical distribution of source IP addresses in honeypot logs
We analyzed the attack events in log data of NSFOCUS’s threat hunting system. Here, we counted all logs regarding one IP address in one day as one event and described the quantity of events with the unit of per active IP per day. Except for several attack events, there was a steady trend in the quantity of IoT device scanning and detection behaviors.
Figure 2-5 Trend of the quantity of all IP addresses accessing honeypots and those sending attack requests daily