Introduction

IoT devices are faced with a great security challenge and their security appears particularly important. On one hand, though IoT devices have had a long existence, legacy IoT devices and their application protocols contain a variety of vulnerabilities due to the ill-conceived security design. On the other hand, as noted in the analysis of IoT security events, asset exposure, and IoT threats, cybercriminals have begun to leverage vulnerabilities and weaknesses in IoT devices to impose severe threats on individuals, enterprises, and even countries. In response to the grave security situation, we put forward an IoT security protection approach with the focus on device protection to improve the security of the entire IoT.

Malicious Behaviors Targeting UPnP Vulnerabilities

We captured four kinds of UPnP exploits 1, as shown in Table 4-7. Apparently, all the exploits targeted remote command execution vulnerabilities. Besides, we found that when a vulnerability is found on a specific port, attackers usually directly hit this port by skipping the UPnP discovery phase.

The following sections analyze threats from the port mapping service based on UPnP port mapping tables collected from network-wide devices.

Overview

In the 2018 Annual IoT Security Report , we focused our attention on four types of malicious port mappings that had the most distinctive characteristics and the most extensive impact. Of the four major malicious types, EternalSilence, IntraScan, and NodeDoS were mainly used for intranet intrusions, while MoniProxy acted as a proxy for access to the Internet. In 2019, we also turned our eyes to other malicious port mapping types to get a whole picture of devices infected with malicious port mappings.

In the 2018 Annual IoT Security Report, we analyzed threats against UPnP and you can refer to the report for basics of UPnP. In this report, we updated UPnP-related data and added new findings.

Viewpoint 6: Approximately 2.28 million IoT devices around the world had the UPnP/SSDP service (port 1900) publicly accessible and therefore were vulnerable to DDoS attacks. The year of 2019 saw a reduction of about 22% in such IoT devices, compared with last year. The UPnP port mapping service, exposed on about 390,000 IoT devices, is likely to be misused as a proxy or render intranet services accessible on the extranet.

Introduction

This chapter analyzes IoT threats from the perspective of protocols. According to the data from NSFOCUS’s threat hunting system, Telnet services (port 23) were targeted most frequently1. Therefore, we first analyze the attacks launched via Telnet. WS-Discovery reflection attacks are a new type of DDoS reflection attacks emerging in 2019 and will be described in section 4.3 WS-Discovery. In the 2018 Annual IoT Security Report, we analyzed UPnP-based reflection attacks. In this document, we update related data and add some new findings.

In this section, we analyze threat trends related to Netis routers according to the data captured by NSFOCUS’s threat hunting system. Our data is based on log messages generated from May 21 to October 30, 2019. The following subsections analyze these log messages from the aspects of attack sources, attack incidents, and samples.

• Attack Sources

Upon deduplication of source IP addresses indicated in honeypot logs, we found 348 IP addresses attempting to connect to the honeypot, 229 of which were used for exploits of the backdoor. As shown in Figure 3-10, most IP addresses (51%) used for vulnerability-based attacks were distributed in the USA.

In this section, we analyze two vulnerabilities, namely, the CVE-2016-10372 vulnerability32 in the Eir D1000 router and the backdoor vulnerability in Netis routers. Except UPnP-related vulnerabilities described in section 4.4.3 Malicious Behaviors Targeting UPnP Vulnerabilities, the CVE-2016-10372
vulnerability was exploited most frequently. The backdoor vulnerability in Netis routers exerted a severe impact when it was initially disclosed.

IoT Exploits

Viewpoint 3: Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. Attackers were keen on targeting devices (routers and video surveillance devices) exposed in large quantities, so as to broaden their influence.

Based on the logs generated by NSFOCUS’s threat hunting system from May 6 to November 6, 2019, we made an analysis of global IoT exploits.

Over 30 types of IoT exploits were captured, most of which targeted remote command execution vulnerabilities. Obviously, from the perspective of global IoT threats, though hundreds of to thousands of IoT vulnerabilities were unveiled each year, only a few can exert an extensive impact. We counted all logs generated one day for the same source IP address as one attack event. Upon deduplication of attack IP addresses, we got top 10 most frequently exploited IoT vulnerabilities listed in descending order of the number of exploitations in Table 3-1. It can be seen that attackers’ exploits mainly targeted routers and video surveillance devices, which fits in with the fact that routers and video surveillance devices were major IoT devices exposed on the Internet. Evidently, attackers hit devices exposed in large quantity to expand the scope of impact. The PoC of most of these vulnerabilities can be found in the Exploit-DB and those beyond this database existed in GitHub. These publicly available PoCs have substantially reduced attackers’ cost of crafting attack payloads.