A network of 50 honeypots deployed around the world has recorded and tracked IoT system attacks. These attacks between H1 2018 and H1 2019 have risen almost nine times from 12 million to 105 million. The number of unique attacking IP addresses grew from 69,000 to 276,000 during the same period.
Many of the attacks go to smart devices like routers at home. Our telemetry data,’ Kaspersky notes in his latest report,’ suggests that smart botnet operators check the name of the AS network and only target IP addresses of internet service providers that provide internet connections to domestic users.’ IoT devices do not have internal security technology capabilities, and SoHo IoT devices tend not to have the safety layers in company IoT. The effect is a pool of computers that are easily compromised and contain botnets that can be used for various purposes-such as massive DDoS attacks.
Most attacks on IoT systems concentrate on brutalizing access credentials with the default settings of the apps, sometimes unchanged by the client. The researchers of Kaspersky could determine the most targeted devices by collecting the keys used in the attacks. For example, in Q2 2019, default / default, admin / admin, root/7ujMko0admin and root / vizxv were the most frequently used credentials. The last two are the two Dahua cameras ‘ regular credentials.
“New cameras are tested every quarter as exploits become wild,” Kaspersky comments. In Q1 2019 we found bots infecting different Gpon routers using a special hard-coded key.’ 38.5% of the attacks that were detected were carried out by the Mirai family, but 38.5% were similar to the second in the Nyadrop malware community. Nyadrop is a rear and rear door, and can be used to spread Mirai further. It came into being in 2016 and became increasingly popular. It replaced Hajime, the second most popular malware (behind Mirai again) in Q1 2018.
Telemetry obtained by the honeypots also helps researchers to identify the countries behind the attacks hosting the IP addresses. China is the leading country, hosting 21.2% of all attacks detected. At 13.5 percent, Brazil is second. In Telnet assaults, China’s supremacy is even greater, hosting 30%. At 19 percent, Brazil is still second. This is a turnaround from H1 2018, where 28% of telnet attacks are carried out in Brazil and 14% by China. Egypt and Russia are both growing rapidly–Egypt with 12 percent from outside the top ten to 3 percent, and Russia with 3 to 4 percent with 11 percent.
“As people are increasingly intelligent, we are seeing the intensification of IoT-attacks,” said Dan Demeter, one of Kaspersky’s security researchers. “Judging from the increased number of attacks and persistence of criminals, IoT is a lucrative environment for an attacker who uses even the most rudimentary methods such as password guessing and login combinations, much simpler than most people believe: by far, the most common combinations are” support / support, “followed by” admin / admin,” default / default.’ Later can clear the computer of any memory-resident malware, but it will not prevent re-infection later. The researchers note that’ we’re looking for a steady trend for repeated attacks from IP addresses of attackers, which indicates increasingly frequent attempts at infecting devices previously known to attackers.’ These include efforts to re-infect rebooted devices that are either unpatched or with the same password.
Kaspersky’s more sophisticated advice is to restrict the usage of local VPN IoT phones, allowing the user to access them from the’ home’ network, rather than openly exposing them on the internet.
Although the increase of attacks on home IoT devices seems a home problem, business is the ultimate threat. The potential for massive DDoS attacks against business and even the Internet itself has already been seen in MIRAI botnets. KrebsonSecurity was attacked with a peak attack of 665 Gbps by Mirai in 2016. A week ago the Dyn DNS service was attacked by another Mirai assault, that simultaneously impacted major services including Facebook, Ebay, GitHub, Soundcloud, PagerDuty, Twitch, Airbnb, Intercom and Heroku. IoT infections may hit SoHo, but business is threatened.