HIRT-PUB16003 : Cyber attacks Using IoT Devices

DDoS (Distributed Denial of Service) attacks using IoT devices to disrupt operations have been reported. (Figure 2).

Figure 2: Distributed Denial of Service (DDoS) attacks for disrupting operations

• September 20, 2016
  Krebs on Security, a blog covering security issues, encountered a massive DoS attack that reached 620 Gbps.
  KrebsOnSecurity Hit With Record DDoS
• September 27, 2016
  French hosting provider OVH encountered massive DoS attacks of over 1 Tbps from approximately 150,000 sources.
  The DDoS that didn't break the camel's VAC*
• October 01, 2016
  The source code of Mirai malware, which is used to remotely control IoT devices running Linux, was released.
• October 18, 2016
  Level 3 Communications reported the number of IoT devices infected with Mirai.
  Before the source code was released: 213,000
  After the source code was released: Total of 493,000 (increase of 280,000 after the code was released)
  How the Grinch Stole IoT
• October 21, 2016
  U.S. service provider Dyn came under a large DoS attack of 1.2 Tbps from up to 100,000 sources by bots infected with Mirai malware.
  Dyn Analysis Summary Of Friday October 21 Attack

Scans and break-ins to a wide range of IoT devices, in order to control them remotely, have also been reported.

Cyber attacks are targeting IoT devices that use the default factory settings and those for which simple accounts or passwords are set. Infection attacks are break-ins to IoT devices using Telnet. The threat actor can control infected IoT devices to use them for scanning and infection.

Figures 3, 4, and 5 show the investigative results of connecting a single PC (with ports 23/tcp and 2323/tcp enabled) to the Internet. he PC received an average of 1,000 connections from an average of 235 source IP addresses per day. That is an average of 44 connections from approximately 10 source IP addresses per hour.

Figure 3: Number of connections per day to ports 23/tcp and 2323/tcp, and the number of sources per day

Figure 4: Number of connections per hour to ports 23/tcp and 2323/tcp, and the number of sources per hour

Figure 5: Number of source IP addresses per address block (xxx.0.0.0-xxx.255.255.255)

The results of the observed infection attacks (login attempts, assumedly by Mirai malware) can be seen in Figure 6.

Figure 6: Login attempts

Cyber attacks are targeting IoT devices that have a command injection vulnerability resulting from implementing TR-069. Infections exploiting this vulnerability have deployed malicious programs.

• November 07, 2016
  It was reported that implementing TR-069, a standard for remote management of user devices, is responsible for a command injection vulnerability.
  TR-069 NewNTPServer Exploits: What we know so far
• November 27, 2016
  The German ISP provider Deutsche Telekom encountered a cyber-attack by Mirai malware that disabled approximately 900,000 of its customers' Speedport DSL modem/router connections. According to a report, the attacks exploited the TR-069 implementation and disabled the devices, although infection attempts failed.
  The "open interface" myth: what really happened

Figure 7 shows the result of investigating what happens when a single PC (with port 7547/tcp enabled) is connected to the Internet. The PC received an average of eight connections from an average of three source IP addresses per hour.

Figure 7: Number of connections to port 7547/tcp per hour, and the number of sources per hour

The results of our investigation into a command injection that exploits the vulnerability resulting from implementing TR-069 (instructing IoT devices to download and run a program called �ga" from the Internet website �gbinpt.**") can be seen in Figure 8.

Figure 8: Command injection exploiting the vulnerability resulting from implementing TR-069

Protecting IoT devices from Cyber attacks is paramount, particularly infection attempts that attempt to deploy malicious programs (see 2.2).

• Restrict access from the Internet to IoT devices and permit access only from trusted IP addresses.
  Restrict access by using a firewall (or similar means) to permit access only from trusted IP addresses, and block untrusted access from the Internet. Make especially sure that access is blocked from the Telnet service (using 23/tcp and 2323/tcp) provided for remote control of IoT devices and Web interface (using 80/tcp and 443/tcp), unless such access is absolutely required.
• Enable authentication functionality and use a complex password.
  Avoid using the following with default factory settings when connecting to the Internet:
  * Using an IoT device for which authentication functionality is disabled
  * Using the default account and password.
• Check for product update information. If a vulnerability is reported, update your firmware.
  Check for update information (for example, on the product vendor's website). If a vulnerability is reported, update your firmware to eliminate the vulnerability.

If a malware infection of an IoT device is reported based on information from a third party or by an intrusion detection system, disconnect the IoT device from the network, restart it, and then make sure all proactive measures are taken.