04

IoT

A sizable portion of the global workforce likely will make some form of remote work permanent—and that’s bad news when it comes to defending against inbound threats. A review of ASERT honeypot data clearly illustrates the issue: The number of attempted Telnet and Secure Shell (SSH ) brute-force logins in 2020 grew by 47 percent compared with 2019.

Although already prevalent in corporate locations, brute-force attacks pose a greater risk on home networks that lack enterprise-grade security controls, coupled with vulnerable IoT devices on the consumer network. Even worse, time is money when it comes to mitigating that risk. Our research has shown it takes 5 minutes or less for adversaries to scan and potentially compromise a new IoT device on the internet. Compare that with the time it takes to find and fix a breach: According to research conducted by IBM, it took 197 days to identify a breach, and 69 days to contain it. And each day costs more: Companies that managed to contain the breach in fewer than 30 days typically saved themselves more than US$1 million.

There are a few factors at play. IoT devices are often deployed in a set-it-and-forget-it manner and don’t get upgraded to fix vulnerabilities as they are discovered. They also typically use a set of credentials that are either hardcoded or are difficult for the end user to change. And lastly, manufacturers often neglect to integrate security into IoT devices, leaving the end user to bolt it on outside of the IoT product. This explains the continued popularity of the top five exploits, which have remained consistent year over year.

To view full report

Why Are IoT Devices Such Juicy Targets?

There are a few factors at play. IoT devices are often deployed in a set-it-and-forget-it manner and don’t get upgraded to fix vulnerabilities as they are discovered. They also typically use a set of credentials that are either hardcoded or are difficult for the end user to change. And lastly, manufacturers often neglect to integrate security into IoT devices, leaving the end user to bolt it on outside of the IoT product. This explains the continued popularity of the top five exploits, which have remained consistent year over year.

Key Takeaways

01

In 2020, ASERT honeypots saw a 47 percent increase in brute-force activity over 2019.

02

A new set of credentials appeared in October that outlined the emergence of a new botnet.

03

Mirai and its variants continued to drive botnet activity, and 2020 was seen as the year in which Windows-based malware crossed into the Linux realm.

Mirai: Long Live the King

ReversingLabs saw the number of malware samples effectively double in 2019. In 2020, that number grew by 150,000, a 7 percent increase in an already overwhelming number of Mirai samples circulating in the wild.

Top Five Mirai Variants

The top five Mirai variants in 2020 didn’t change much from the first six months to the second half of the year. Mirai moved up into the top five, and Kyton fell out. These markers are a good way to identify variants being used.

We also observed a variety of architectures used by Mirai. Looking at a representative sampling of the binaries provided by ReversingLabs, we see the following distribution of architectures for 2020.

Username/Password Combinations

Out of more than 75 million brute-force attempts observed by our honeypot network in 2020, the top five combinations continue to be the original list hard coded in Mirai since 2016.

Our previous reports listed only unique sources in the brute-force attempts. We now include every attempt, to illustrate the persistent nature of automated brute-forcing bots. Although credential combinations used by Mirai are still the most frequently seen, the picture looks a bit different when considering the unique source of the brute-force login attempt. The hypothesis is that while botmasters are using more diverse username/password lists and new bots continue to enter the space, Mirai remains atop the charts due to its constant bombardment on network-connected devices.

In the second half of 2020, ASERT started tracking the impact inbound brute forcing had on our customers. In just a few months, we observed more than 75 million Telnet attempts just from indicators we collect from our honeypots. Leveraging data from our Cyber Threat Alliance (CTA) partnership, we observed more 550 million Telnet, SSH, Server Message Block (SMB), and RDP brute-force attempts in 2020.

Although the majority of these inbound attempts are against targets in the United States, the following chart shows the top 10 countries targeted by Telnet brute-force attempts. Looking at the other side of the connection, we can determine where the majority of these brute-force attempts originate based on the attacking IP address.

The Birth of a New Botnet

Amidst the onslaught of brute forcing, ASERT observed a new set of credentials plow their way into the top five in October 2020. The username/password combinations were previously low volume, and the spike in usage likely indicates a new botnet or concentrated effort to compromise a specific set of devices. The continued use of these credentials following the initial wave in October indicates that it will likely stick around and eventually find its way into other botnets and automated brute-forcing tools.