More than 1 million internet of things (IoT) devices have been compromised and added to DDoS botnets created with the help of a malware family that goes by many names, including Gafgyt, Lizkebab, BASHLITE and Torlus.
According to research released by Level 3 in collaboration with Flashpoint, IoT gadgets represent a whopping 96% of the total number of Gafgyt bots involved in recent DDoS attacks.
“Groups like Lizard Squad and Poodle Corp are increasingly targeting IoT devices to build botnets to conduct DDoS attacks,” the researchers said in an analysis. “They use these botnets either for their own purposes, or to rent to individuals as booter or stressor services (i.e. DDoS-as-a-service).”
The researchers said that security camera DVRs, used to collect video from security cameras, are among the devices favored by bot herders, representing 95% of the enslaved gadgets. These devices often come configured with telnet and web interfaces enabled, allowing users to configure the devices and view their security footage over the internet.
“Unfortunately, many are left configured with default credentials, making them low-hanging fruit for bot herders,” Level 3 noted. “Most of these devices run some flavor of embedded Linux. When combined with the bandwidth required to stream video, they provide a potent class of DDoS bots.”
Each botnet spreads to new hosts by scanning for vulnerable devices in order to install the malware. Two primary models for scanning exist. The first instructs bots to port scan for telnet servers and attempts to brute force the username and password to gain access to the device. The other model, which is becoming increasingly common according to Level 3, uses external scanners to find and harvest new bots, in some cases scanning from the C2 servers themselves.
To boost security in IoT devices, the general advice for consumers and businesses is to immediately change the default credentials and put them on private networks, accessible via VPNs, or behind a firewall.
“We view changing default credentials, using encryption, locking down networks with firewalls, etc. as basic security hygiene,” said Lane Thames, security research and software development engineer at Tripwire, via email. “However, the bulk of the IoT market consists of non-technical consumers who, at this time, have very little (if any at all) knowledge of how to make these security-conscious changes. This is a ‘technology’ component of security where it is up to the manufacturers to build more secure devices.”
For example, no one should be shipping devices with default credentials, and device manufacturers should be considering new methods to replace this practice.
He added, “The ‘human’ component of security must also be addressed in the long run. We will never have a society where everyone is a cybersecurity specialist. However, our current educational ecosystem is failing us on the cybersecurity front. As a society, we must start integrating the basics of cybersecurity knowledge within our education systems. Even if we could solve the technology component of cybersecurity, our efforts would be in vain without addressing the human component as well.”
Photo © BeeBright