ThreatList: Malware Samples Targeting IoT More Than Double in 2018

A honeypot set up to sniff out data on infected IoT devices found a broad array of compromised devices – from Mikrotik routers to dishwashers.

It’s no secret that connected devices are posing a security threat in the commercial, consumer and industrial worlds. A fresh report on this expanding threat landscape shows that attacks are accelerating, with MikroTik routers, Telnet password-cracking and the Mirai botnet dominating the proceedings.

In the first half of 2018, researchers at Kaspersky Lab said they picked up three times as many malware samples targeting IoT devices as they did for the entirety of 2017. “That doesn’t bode well for the years ahead,” the research team said in their report, published Tuesday.

A Range of Devices

A honeypot set up to sniff out data on infected IoT devices found a broad array of compromised devices populating the landscape – from MikroTik routers to smart dishwashers.

Overall, infected MikroTik routers made up 37.23 percent of all the data collected – the reason for which appears to be the ChimayRed vulnerability, an exploit that is used against MikroTik routers running RouterOS.

MikroTik devices are known to be involved in an array of malicious campaigns, including the efforts of the VPNFilter IoT botnet, which has infected almost a million consumer-grade internet routers in more than 50 countries.

Other infected IoT objects that attempted to target the honeypot included devices from TP-Link, SonicWall, Cisco, D-Link and even connected dishwashers.

“What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68 percent of the total number of attacks),” researchers said. “Most likely, they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.”

The Telnet Vector

The most popular infection vector at this point involves cracking weak Telnet passwords — often configured with default settings — to access the device. In an analysis of popular attack vectors in the second quarter of 2018, researchers found that Telnet passwords were used in 75.40 percent of attacks – by far surpassing other methods, including  brute-forcing SSH passwords (a method that’s used 11.59 percent of the time).

In terms of pinning down geography for the Telnet attacks, Brazil had the most unique IP addresses from which they originated, making up 23 percent of addresses. That was followed by China (17 percent of addresses) and Japan (9 percent of IP addresses).

There is however some indication that this vector is waning in popularity.

“Since some smart-device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new [methods] of infection,” researchers said. “This is stimulated by the high competition between virus writers, which has led to password brute-force attacks becoming less effective: In the event of a successful crack, the device password is changed and access to Telnet is blocked.”

Mirai Tops Payload Choices

Unsurprisingly, the report found that the Mirai botnet family is the top downloaded malware when it comes to IoT attacks. Mirai and its variants have remained a top threat as the malware’s technical makeup, capabilities and targets continue to evolve.

Other popular downloaded malware includes Gafgyt, which has recently been discovered targeting SonicWall flaws, and the Hajime botnet.


Suggested articles