+
EDITOR’S QUESTION
BRYAN HAMMAN, TERRITORY
MANAGER FOR SUB-SAHARAN
AFRICA AT NETSCOUT ARBOR
N
ew research from Arbor’s Security
Engineering & Response Team
(ASERT) reveals that while IoT
device makers are starting to develop more
secure devices, IoT botnet authors are
turning their attention to exploiting the
existing vulnerabilities in older devices. A major problem is that the time taken for
an attack to occur is frighteningly short.
Previous research shows that it can take
just a few minutes from the time a device is
switched on and connected to the Internet,
before it is being scanned and subjected to
attempted brute-force logins.
The report noted that existing IoT
vulnerabilities were being used to deliver
malware, which is then often conscripted
into a DDoS army. And as the 2016 DDoS
Mirai attacks showed, a large IoT botnet can
create havoc. One of the reasons this works for botnet
authors is the glacial pace at which IoT
devices – often referred to as ‘set and forget’
devices – receive security patches.
It seems that older vulnerabilities are
effectively a gift that keeps on giving. As
soon as a vulnerability is made public,
botnet authors integrate it into their
botnet and use this, along with their
standard brute force tactic, to quickly build
what could be the next potentially lethal
DDoS army.
The research clearly indicated that the
use of existing and known IoT-based
vulnerabilities has made it far easier for
botnet authors to increase the number of
devices within their botnets.
Even if the device delivered by the
manufacturer has been secured against all
known vulnerabilities, the device is likely to
sit on the resellers shelf for a while before
it is sold, switched on and connected.
By that time, a whole host of additional
vulnerabilities, against which the device has
not been secured, have emerged. The device
is thus vulnerable to attack, until its software
is updated.
www.intelligentcio.com
Many botnet authors make a point of
seeking to exploit vulnerabilities that are
specific to IoT devices. An example is the
infamous Mirai malware which emerged
in late 2016, but is still going strong,
with numerous Mirai variants also having
emerged since then. This is largely because
of Mirai’s success in exploiting mundane
factory-installed usernames and passwords.
In his recent NETSCOUR Arbor blog,
Matthew Bing, who reverse-engineers
malware and maintains NETSCOUT
Arbor’s honeypot operations, listed the
most popular username and password
combos used by malware authors. These
included such obvious ones as ‘admin/
admin’ and ‘guest/12345’. NETSCOUT
Arbor has identified 2,070 unique user
name and password combos that are
commonly used by botnet authors as part
of their attack arsenal.
Arbor’s report notes that although Mirai-
related attacks are no longer directly only at
IoT devices, the onslaught against Hadoop
YARN, described in in Miral: Not just for IoT
//////////////////
anymore. While the Hadoop YARN attack is
a relatively new phenomenon, NETSCOUT
Arbor also identified the new, and extremely
worrying trend, of attempted exploitation of
older IoT vulnerabilities such as CVE-2014-
8361M CVE-2015-2051, CVE-2017-17215
and CVE-2018-10561 arising from a variety
of unique sources in order to deliver variants
of Mirai.
One way in which this trend could be slowed
and possibly reversed is for IoT device
manufacturers to seriously consider placing
prominent warnings on all their devices
advising customers to update the device’s
software immediately, and to continue to do
so on a regular basis. Without a concerted
effort from all players in the IoT chain, the
next major DDoS attack may make the 2016
Mirai exploit pale by comparison.” n
INTELLIGENTCIO
27