IoT Exploits: Around The World In 120 Days
Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots continues to increase. The vulnerabilities they leverage are old, but clearly not obsolete. The most common exploit seen in our honeypots was first publicly disclosed over four years ago. Certain countries show an affinity for certain types of devices based on the exploit attempts originating from those countries.
- Our data collection shows attacks targeting well-known IoT vulnerabilities. We witnessed a two-fold increase in the number of exploit attempts from December 2018 compared to January 2019.
- CVE-2014-8361 dominated the list of IoT exploits to hit our honeypots for the past four months. The exploit vector, publicly disclosed in April of 2015, traces back to several high profile IoT botnets such as Satori and JenX.
- Based on telemetry from our honeypots we gain unique insight into the geographic dispersion of IoT vulnerabilities and exploitation attempts against them.
Looking at data from our honeypots for the last four months we saw a huge onslaught of attacks related to the Hadoop Yarn exploit described in Mirai: Not Just For IoT Anymore. Disregarding the voluminous Yarn attacks, we start to see a pattern emerge of commonly used exploits targeting IoT devices. Fig 1 shows the top exploits seen by our honeypots in the past four months.
|EDB ID||Exploit Path|
Fig 1: IoT Exploits Our data shows a range of new and old exploits being used to target IoT devices. As we talked about in Regifting Exploits, shelf life for an IoT based exploits can last for years. CVE-2014-8361 is just one such example. Digging further into our dataset we can see which countries are likely to exploit certain vulnerabilities. Fig 2 shows a donut chart of exploit attempts from December 2018 on the inner ring, and the country of origin on the outer ring. We can see exploits originating from the United Kingdom tend to favor the use of the Realtek SDK Miniigd Command Execution (CVE-2014-8361) exploit. We're also able to drill down and see only 10 unique sources were used for these attacks. This may indicate that the 10 source IP addresses are in the same botnet.
Fig 2: Exploits Attempts for the Month of December 2018 Unlike the Miniigd and Huawei Router exploits we see the use of the D-Link Devices HNAP Command Execution (CVE-2015-2051) exploit used across several different countries. By examining the payload from these attacks, we can gather if the exploit is being used by one botnet or several. If we widen our lens back to a 120-day view of our data, we can see a different picture emerge. 94% of the attack traffic during this time frame is related to the Huawei Router exploit (CVE-2017-17215). Our numbers also indicate those attacks came from 59 unique countries as the table below shows.
Fig 3: IoT related attacks for the last 120 days When looking at the number of attacks for these specific exploits in December 2018 compared to January 2019, we see a 218% increase. More and more botnets are scanning for and attempting to exploit these vulnerabilities. In reviewing the payloads for these attacks, most of the malware being delivered is a Mirai variant, showing an old dog can learn new tricks.
While IoT bots that use default usernames and passwords tend to use a shotgun approach to propagation, bots that use exploits tend to be more targeted per country. As vendors address issues with default or hardcoded password, IoT bots need to adapt to the changing landscape. As evidenced by the increases in exploitation attempts against our honeypots, IoT botnet operators evolve with the changes in device security, continuing their shift to a hybrid approach. As security practitioners we can learn from attacker’s tactics and figure out which devices tend to be targeted regionally in order to better defend them. It’s critical that IoT security be part of an organization’s security program - patching, testing, monitoring, and incident response.