IoT: New Threat HorizonsIoT: New Threat HorizonsCarl HerbergerCarl Herberger

Global VP Security SolutionsGlobal VP Security Solutions

Copyright © 2018 Radware. All rights reserved.

2

IoT Has Changed The Threat LandscapeIoT Has Changed The Threat Landscape

Here’s how…

• Unsophisticated droppers• Factory default credentials• Backdoors• Disclosed vulnerabilities• 0-days

Here’s how…

• Unsophisticated droppers• Factory default credentials• Backdoors• Disclosed vulnerabilities• 0-days

Copyright © 2018 Radware. All rights reserved.

3

IoT Mean Time Between Compromise

Aug 24th, 2017 - SANS Technology Institute: 2 minutesNov 30th, 2016 – Rob Graham @ErrataRob: 98 seconds

< 2 minutes

Copyright © 2018 Radware. All rights reserved.

4

IoT Botnets – The Ultimate Weaponry

• Not directly associated with the attacker• Automated• Geographically distributed • Ultimately disposable • Flexible • Wide range of nefarious activities• Growing in size• Larger botnets and smarter devices = more

sophisticated attacks

25,000 100,000

400,000

900,000

0

200,000

400,000

600,000

800,000

1,000,000

CCTV Botnet attack

(Jun-16)

Dyn attack (Oct-16)

Jabber campaign:DDoS-for-hire offer

(Nov-16)

Failed DTtakeover attempt

(EoNov-16)

Copyright © 2018 Radware. All rights reserved.

5

IoT-Based Botnets

• IoT is the birthplace for new types of bots and malwares. • Unsophisticated, yet very efficient and lethal.

Mirai Hajime

IoT_Reaper/IoTroop/

Satori

BrickerBot JenX

BashliteLinux.Aidra

RouterBotnet

Copyright © 2018 Radware. All rights reserved.

6

Mirai Retrospective

620 Gbps attack GRE in payload, No amplification,

No reflection

Sept 20, 2016

~ 1 Tbps in volume SYN and ACK floods Over 140,000 unique IPs

Sept 21, 2016

Mirai Source Code ReleasedHackforums.com

Anna-Senpai

Sept 30, 2016

DNS Water Torture attack with other vectors. Some comprised of Mirai 100k

end-points reported

Oct 21, 2016

DT Router Takeover AttemptMirai w/ TR-064 Exploit

900,000 consumer’s internet connection affected

Nov 27, 2016

Mirai authors Paras Jha & Josiah White

(ProTraf Solutions LLC)plead guilty

Dec, 2017

Copyright © 2018 Radware. All rights reserved.

7

01/17 Satori continues01/25 Masuta02/03 ADB.miner02/08 JenX02/15 DoubleDoor02/21 OMG

2017 20182016

01/30 Linux.Proxy.1002/22 Mirai turns to Windows02/22 ‘BestBuy’ arrested in UK

10/19 Hajime10/21 DYN10/29 IRCTelnet (new Aidra)

11/23 400k+ Mirai botnet for rent by ‘BestBuy’11/27 DT, TalkTalk, Post Office UK – TR069 Exploit12/21 Leet botnet: 650Gbps/150Mpps DDoS attack

Oct 2016

12/13 Mirai authors plead guilty

08/30 WireX09/14 RouteX09/26 Linux.ProxyM10/23 Reaper11/23 Satori

03/13 Imeij04/07 Amnesia04/10 BrickerBot05/09 Persirai

2015 Moose2014 MrBlack2014 TheMoon2014 Bashlite

2012 Aidra

08/2016 Mirai08/2016 Rakos

Krebs 09/20OVH 09/21

Mirai source leaked 09/30

8

Factory Default Credentials

Copyright © 2018 Radware. All rights reserved.

9

The Cast

• Mirai: “The Weapon”• Hajime: “The Good Bot?!”• Reaper: “The Evolution”• BrickerBot: “The Exterminator”• The Janit0r: “BrickerBot author”

Copyright © 2018 Radware. All rights reserved.

10

Mirai: The Weapon

Copyright © 2018 Radware. All rights reserved.

11

Hajime: Friend or Foe?

• Allegedly a vigilante protecting devices from Mirai• Discovered by Rapidity Networks• 300K devices; No attack to date• Removes previous malware and “immunes” device against

infections• Keeps a back door / communication channel (also for software

updates)• Uses brute force to infect• Propagates via Bit Torrent• Most sophisticated

Copyright © 2018 Radware. All rights reserved.

12

IoT_Reaper/IoTroop, Santori: The Evolution

• Reaper exploits 9 known vulnerabilities in consumer-grade devices

• Uses HTTP-based exploits, rather than telnet brute force• Appear to be Mirai variants with some similarities• Distributed scanning• Central loader• Bots themselves don’t infect

• Virustotal.com detects it as Mirai• Satori leverages a vulnerability in Huawei HG532 routers

Copyright © 2018 Radware. All rights reserved.

13

BrickerBotBrickerBot

Janit0r’s“Internet Chemotherapy”

Project

Janit0r’s“Internet Chemotherapy”

ProjectCopyright © 2018 Radware. All rights reserved.

14

PDoS: Permanent Denial of Service

A DoS attack that damages a system so badly that it requires replacement or reinstallation of hardware or software• (D)DoS – Victim resumes normal service after attack finishes• PDOS – leaves victim in nonfunctioning state after attack, requiring

intervention to restore operations

Copyright © 2018 Radware. All rights reserved.

15

BrickerBot

• First autonomous PDoS botnet• Prevents devices to take part in botnets

by destroying them• Remote execution of destructive

sequence• No malware loaded on the victim• Limited # of bots in a “sensor network”• Does not attack unless provoked

Copyright © 2018 Radware. All rights reserved.

16 a) cam unreachable from WAN,

can still ping on LAN

b) unreachable, also from LAN

+ Factory reset button useless

c) No serial/USB/removable media to restore firmware

back to manufacturer or recycler

VS IoT

Copyright © 2018 Radware. All rights reserved.

17

“It’s time for me to move on.”

-Janit0r

“It’s time for me to move on.”

-Janit0r

Copyright © 2018 Radware. All rights reserved.

18

How You Can Protect Your Devices

• Protecting against known IoT threats such as Mirai, Hajime, and BrickerBot• Block telnet access• Whitelist access to necessary management protocols (TR-

064/TR-069, etc.)• Change factory default credentials for CLI access• Check and upgrade firmware often

• When you are infected• To clean your device from infection: REBOOT• But… without additional measures, your devices will be re-

infected within minutes

Copyright © 2018 Radware. All rights reserved.

Thank You

radware.comblog.radware.com

@ronwinward

Copyright © 2018 Radware. All rights reserved.