Malware continues to plague the IoT world
Examining recent threat data often provides critical insights into what might lie ahead for organizations, as well as how they can best prepare for the threats they face now. In my recent re-examination of the findings of Fortinet’s internal threat researchers from Q4 2019, a few key themes arose with regards to malware and IoT botnets that are especially worth sharing.
Malware doesn’t discriminate
It’s helpful to examine malware trends because they speak both to cybercriminal intent as well as to their capability. Similar to exploits, malware detections IoT sensors do not always indicate an actual infection or breach. Rather, it indicates the weaponization of code and its attempted delivery to target victims and systems. Detections can occur at the network, application and host level on an array of devices, and these detections can provide critical insights into the strategies and methodologies of cyber adversaries.
The fact that there is malware designed for Windows, Visual Basic, HTML, JavaScript and Adware reminds organizations that attackers create malware to target a wide variety of systems through a wide variety of vectors. Malware is an innovative and rapidly evolving threat, and organization will do well to remember that.
However, cybercriminals are also opportunistic, so they set their sights on wherever they feel there’s a chance of success. Research shows that IoT devices continue to be a hotbed of opportunity.
IoT malware strikes hard
Who can forget the Mirai botnet? Built with millions of vulnerable IoT devices, Mirai perpetrated the largest distributed denial-of-service (DDoS) attack in history at the time, taking down a sizable chunk of the internet. Its success created a new ransomware craze in which automated botnets comprised of hijacked IoT devices executed DDoS-based ransom attacks.
Another first was Brickerbot, a destructive form of malware designed to stop IoT devices from connecting to the internet. Its purpose was to take down a network, which presented a huge risk to service providers who faced the potential of millions of devices going dark simultaneously, without the ability to see, control or manage them.
This focus has now evolved to ransomware as a service, where ransomware attacks have been commoditized and made available to any hack with access to the Dark Web. Services are available for targeting both traditional and IoT devices.
Botnets have staying power
Though botnets and malware are intrinsically related — malware infections being the seed from which a botnet grows — their life expectancies are very different. Malware is constantly evolving to evade detection and improve the efficiency and sophistication of its attacks. As a result, malware is in a constant state of flux.
On the other hand, botnets are made to survive and adapt. Taking down botnets is often similar to fighting the proverbial hydra: chop off a control node and another rises to take over. Organizations might manage to knock out all the controllers, but they’ll still be left with an army of infected hosts.
Analyzing botnet prevalence is unique among all of the markers available to security researchers. This is because a botnet is a guarantee for an actual infection unlike intrusion prevention system triggers or virus detection, which only document potential issues. Though the latter provides organizations with insight into what threat actors consider to be their big opportunities, botnets show what has worked and give an even better idea of what vulnerabilities organizations should be looking for within their own networks.
The most active botnets for Q4 2019 feature the usual suspects many organizations have grown accustomed to seeing quarter after quarter. The ZeroAccess botnet, one of the top botnets detected during the quarter, is a good example. Though this botnet was conceptualized midway in 2011, it continues to register the highest volume — though not the highest prevalence — across sensors nine years later. Its longevity owes largely to the fact that it’s an affiliate bot.
Once the ZeroAccess botnet takes root in a system, it uses the host to engage in an array of malicious activities, such as downloading additional malware, mine for cryptocurrency and engage in click fraud, at the behest of whatever criminals are running or renting it at the time. In addition, the ZeroAccess botnet’s rootkit techniques enable it to remain hidden on infected systems where it can carry out its malicious functions for a very long time. Gh0st, RAT, Mirai and the rest of the botnet leaderboard all have similar stories.
It’s all about the best practices, not hype
It’s tempting to focus on the continued development and introduction of increasingly sophisticated botnets and their related malware, but the reality is that the real problem is out-of-date systems running unpatched hardware or software on inadequately monitored, flat networks. Botnets thrive because organization consistently fail to shore up their systems.
Until these things change, the problem won’t change, either. As is often the case, good best practices and common sense go a long way toward creating and maintaining a safe environment in which IoT can thrive.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.