Malicious Behaviors Targeting UPnP Vulnerabilities
We captured four kinds of UPnP exploits 1, as shown in Table 4-7. Apparently, all the exploits targeted remote command execution vulnerabilities. Besides, we found that when a vulnerability is found on a specific port, attackers usually directly hit this port by skipping the UPnP discovery phase.
Upon deduplication of source IP addresses indicated in UPnP logs, we found that about 29.6% of IP addresses exploited UPnP vulnerabilities. Also, we analyzed the global distribution of source IP addresses and discovered that China was home to the most attack sources, as shown in Figure 4-16. Our further analysis revealed that 90% of attacks in China were sourced from Taiwan and the Chinese Mainland had attack sources of the same order of magnitude as Russia and the USA. According to the distribution of IPv4 assets in China in 2019 as shown in Figure 2-2, we infer that Taiwan had the most IoT assets exposed on the Internet and malware spread widely among these devices, further expanding the botnet consisting of compromised devices. Since devices were exposed in so large quantities, we could surely capture a greater number of attack sources.
We analyzed the distribution of source IP addresses in China in terms of the asset type. Consulting NSFOCUS NTI for open ports and device type markings of these IP assets, we could classify devices of known types. Besides cameras, network video recorders (NVRs), and routers identified through their models, IP assets that meet either of the following conditions were also categorized as IoT devices:
- Opening UPnP or WS-Discovery service
- Found to run Dropbear, lighttpd, or mini_httpd service
Figure 4-17 shows the distribution of IoT devices that were classified according to the above conditions. In China, 76.6% of source IP addresses were used by IoT devices, of which 21.3% were cameras and NVRs and 7.3% were routers. Arguably, IoT devices serve as both attack sources and targets, which corroborates our speculation that attackers, while targeting these IoT devices, use them as springboards for attacks against other devices as well as for malware propagation.
By reference to captured attack logs, related vulnerabilities, and asset data, we analyzed the global distribution of potentially affected UPnP devices. By associating asset data with the vendor information, SDK information, and target ports that are involved in UPnP exploits, we conclude that UPnP exploits potentially target the following types of device:
- Huawei devices of certain models that use specific UPnP SDKs
- Devices using Realtek UPnP SDK
- D-Link devices of certain models that use specific UPnP SDKs
This chapter first anatomizes threats against Telnet. Overall, attackers exploiting Telnet increased month by month in the first half of 2019, peaking in August and declined in the remaining months.
Attackers were widely distributed around the globe and mostly found in China and the USA. Our analysis of weak passwords used by attackers reveals that attackers built botnets with routers and video surveillance devices compromised via Telnet brute-forcing. This attack method is the same as Mirai’s original malicious code. In view of this, we come to the conclusion that attackers still mainly target IoT devices with the Telnet service publicly available.
Since being disclosed by Baidu security researchers in February 2019, WS-Discovery reflection attacks have steadily grown in number, especially in the latter half of the year. Since mid-August, WS-Discovery reflection attacks captured by our threat hunting system have been on the rise.
Worse still, a sharp increase in such attacks was observed in September. All parties concerned, including security vendors, service providers, and telecom operators, should pay due attention to this type of threats.WS-Discovery attacks and other new kinds of attacks that achieve malicious purposes by relying on IoT devices will emerge constantly with the increase of IoT devices. Therefore, we should attach great importance to those IoT assets that are not given enough emphasis even though exposed in large quantities.
The number of UPnP services exposed was 22% less than last year, but remained at around 2 million. Geographically, the biggest drop in the UPnP exposure quantity was observed in Russia that saw a decrease of 84% over the previous year. Therefore, we guess that related Russian authorities have
stepped up UPnP governance. To some extent, this also demonstrates that IoT threat handling moves towards governance from just monitoring.
However, governance at this level cannot address root causes of security issues. Ideally, related authorities and vendors should join hands to promote the security hardening of UPnP-related SDKs and urge related vendors to release patches to fix security issues in products and add UPnP-related security assessment as an IoT security assessment indicator so as to eliminate known security risks in new products. Besides, security protection can be implemented through the introduction of the security protection mechanism for IoT devices described in chapter 5 Security Protection Mechanism for IoT Devices.
To be continued.