As Mirai has shown, IoT devices are becoming the cyberweapon delivery system of choice by today’s botnet-building attackers. In the future, these botnets, or “thingbots,” will become the infrastructure for a future darknet.
That’s the assessment of F5, which has tracked escalating activity on the thingbot front.
“There are literally billions of [IoT devices] in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls),” the firm said in a report on the subject. “Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?”
Based on analysis of data collected between January 1 through June 30, 2017, Telnet attack activity grew 280% from the previous period, which included massive growth due to the Mirai malware and subsequent attacks. Unfortunately, Mirai (and its kindred botnet, Persirai) looks to be the tip of the proverbial iceberg.
“The level of attacking activity [is exponentially larger than what it took to build Mirai],” the report noted. “[It] doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it’s likely these thingbots are just ready and waiting to unleash their next round of attacks.”
About 93% of this period’s attacks occurred in January and February, while activity significantly declined in March through June. F5 speculated that this could mean that the attacker “recon” phase has ended and that the “build-only” phase has begun. Or, it could just be that attackers were momentarily distracted (enticed) by the Shadow Brokers’ release of EternalBlue.
The top attacking country in this reporting period was Spain, launching 83% of all attacks (the top 10 attacking IP addresses all came from one hosting provider network there: SoloGigabit). Meanwhile, activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume.
The top 50 attacking IP addresses resolve to ISP/telecom companies and hosting providers. While there were more ISPs and telecom IP addresses on the top 50 list, when looking at volume of attacks by industry, the overwhelming number came from hosting providers.
The report also found that although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks and to host banking trojan infrastructure. IoT devices have also been subject to hacktivism attacks, and are the target of nation-state cyber-warfare attacks.
“As we see in this report with Persirai, attackers are now building thingbots based on specific disclosed vulnerabilities rather than having to launch a large recon scan followed by brute-forcing credentials,” the report found.