UNDER ATTACK? CALL US

Cybersecurity Insights-13

Por adminEm DDoS Mitigation, Research & ReportsPostou
Cybersecurity insights cover with green design.


Distribution of IoT-based Family Samples

We analyzed IoT-based malicious family samples captured by NSFOCUS threat hunting systems (see Figure 7-1), those captured by NSFOCUS Threat Intelligence (NTI) and those captured by VirusTotal (see Figure 7-2). The two figures, though presenting different data sources, both indicate that Gafgyt and Mirai take the first two places on the top list. We can see that IoT-based malware families tend to behave in a similar way. This is likely due to the source code of Gafgyt and Mirai families being published on the internet and can be modified at will. Their variants mainly change the C&C address and attack method, which is what tools-kids always do. Arguably, most attackers are tool users, with little technical expertise.

Red circular no entry sign with a white horizontal bar.

Red circular no entry sign with a white horizontal bar.

The analysis of captured data shows that IoT-based botnets function as centralized services in a managed way. Most attackers can now simply rent DDoS services to launch attacks, without the need of building botnets on their own. Furthermore, malware developers continue to update their infection code with new exploitation methods, in a bid to compromise more botnet hosts to launch larger bandwidth attacks.

IoT-based Cryptomining

In April 2018, 200,000 MikroTik routers were hit by malicious attacks and compromised into participating in bot activity.

By October 2018, Coinhive had controlled over 26,000 IoT devices, most of which were MikroTik routers distributed in Brazil. IoT devices are difficult to upgrade and fix, which is a greatest challenge to overcome in securing the IoT.

Red circular no entry sign with a white horizontal bar.

As listed in 0, , the number of these IoT devices decreased compared with April 2018, but they still remain dangerous.

Analysis of the distribution of controlled IoT devices by type and vendor.

Red circular no entry sign with a white horizontal bar.

We found that over 90% of the IoT devices controlled by the Coinhive family were routers, 96% of which were MikroTik routers. See Figure 7-3.

Red circular no entry sign with a white horizontal bar.

As of April 2018, Brazil is home to the most MikroTik routers controlled by the Coinhive family. The vulnerability was discovered in March 2018 and by April massive cryptomining activities were seen throughout the country. By October, Coinhive had controlled a great number of IoT devices, which indicated that the IoT devices were not patched. Typical users have both a lack of security awareness in general and little knowledge about IoT devices in particular. It is bad enough that IoT vendors fail to provide automatic or other update mechanisms to ensure proactive security.

To be continued.

NSFOCUS
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.