A new strain of the ever-persistent Mirai botnet has begun to focus on TVs, digital signage and projectors according to recently released Palo Alto research.
Israel Barak, CISO at Cybereason:
“Millions of inexpensive interconnected devices, such as cameras, routers, printers, TVs, baby monitors, refrigerators, and so on, have flooded the market with public IP addresses are found very quickly by botnets. Most have no patches, have known vulnerabilities and typically are using default passwords. Within an organization who is watching the shop and monitoring the printers and TV monitors that are all connected to the Internet? The answer is likely no one in most enterprises.
Botnets have evolved through 3 generations and today’s versions are likely to be as effective as ever clogging Internet traffic causing potential outages and gridlock across the web.
First generation botnets were designed to facilitate a single business use case. As an example, cryptomining, distribution of spam, denial of service attacks are still as popular as ever. With click fraud or advertisement fraud, the adversary realized they can host ads on their own websites, and if they drive traffic to the website they can make money. If someone drive clicks on the ads they can make even more money.
Criminals got the idea that they could build botnets, go to websites controlled by the criminals on sites that are being operated by criminals and can collect money as if they were being clicked on by humans, when in fact the botnets are generating the clicks.
Second generation botnets offer services and are sold to third parties with the goal of monetizing the computing resources they control. A prime example would be distributed denial of service (DDOS) attacks. As an example, Company X would try to extort Company Y out of something. Company X doesn’t necessarily have the access to the resources, so they will pay a botnet operator that has access to 5,000, 10,000, or 20,000 machines that are fully operational and they run a program to access websites.
Third generation botnets bring a more specialized approach to using the computers under their control. The botnet operator collects access to thousands of machines and then sells access to those machines. These operators typically operate in online marketplaces such as xDedic and others offer access to the networks of enterprises in a variety of industries such as government, retail, and financial services. The machines that fetch the highest prices are the ones connected to relevant networks, ie, Fortune 500 companies, etc. The botnet operators sell the access to individual’s looking to launch attacks against these targeted companies.
These botnets are not necessarily sophisticated. They take over machines that don’t have tight security. There is no way of hiding from these botnets. If you have an IP address that is online, and security is an afterthought, your company is a target. This cascading effect can all take place in a matter of 1-2 days. The moment you put a vulnerable asset online, its only a matter of time before you are victimized.
To improve security within an enterprises there are a number of practical steps that can be taken to improve security and minimize risk:
- Devices in the office that can’t be monitored 24 x 7 need to be segmented and quarantinedfrom the rest of the network. Access should be restricted and only those with valid, known, filtered network protocols should have access.
- Restricting external access. Segmenting from the internet, do not allow the devices to have publicly available IP addresses. Constantly scan your network from the outside to make sure your assets aren’t exposed to the Internet. Segment, segment, segment.
- Shop for IoT devices from vendors that take security seriously. Work with vendors that has a clear security policy and procedure on securing their devices.”
Lane Thames, Senior Security Researcher at Tripwire:
“This evolution of IoT based botnets targeting the enterprise makes sense. Enterprises are rapidly adopting IoT technologies, such as the WePresent system and the LG Supersign TV, and vulnerable IoT devices within enterprise networks increases attacker motivation due to more lucrative financial returns via extortion, intellectual property theft and such.
Hidden deeper in these reports, however, is something much scarier to me, and it is the fact that we in the computing (digital) industry still have a long way to go in terms of maturing our secure development practices. Particularly, the two vulnerabilities affecting WePresent and the Supersign TV are trivial to exploit, but, more concerning, is that they are trivial to prevent. These two vulnerabilities are a classic case of a web application not sanitizing user input (input that a user/attacker can control when interacting with the web application). These two vulnerabilities are very basic and easily addressed with modern development frameworks. Further, organizations developing web-based products should have mechanisms in place to catch such low hanging “fruit” as this during their development and QA processes. Don’t get me wrong, developing secure software is hard, and there is no such thing as perfect security. But, we should have graduated beyond this level of trivialness by now.
Unfortunately, cyber defenders are fighting an uphill battle, and scale is one of our biggest challenges. Countless systems are being developed and rushed to market and this is coupled with a growing talent pool of developers and engineers that have not been trained in any way around cybersecurity along with businesses that don’t understand the need for secure product development. Mirai and likely many other types of IoT based botnets are here to stay for a very long time.”