Attacks Targeting IoT Devices and Windows SMB SurgeResearchers Say Mirai Derivatives and EternalBlue Exploits Pummel Internet-Connected Devices
Two years after WannaCry wreaked havoc via unpatched SMB_v1 and three years after Mirai infected internet of things devices en masse via default credentials, attackers continue to target the same flaws, security experts warn.
Attackers built the wormable crypto-locking WannaCry malware to exploit Windows systems running an unpatched version of SMB_v1 that were vulnerable to an exploit code named EternalBlue. Mirai, meanwhile, targeted the large numbers of IoT devices that ship with default - or sometimes hard coded - usernames and passwords. Those include routers, security cameras and digital video recorders, among other devices. Hackers who gained remote access to these devices often turned them into internet-connected launching pads for further attacks.
Unfortunately, attacks targeting SMB_v1 and IoT devices are alive, well and escalating, researchers at Helsinki, Finland-based cybersecurity firm F-Secure warn in a new report.
F-Secure says its network of honeypots - decoy servers that allow researchers to see what attackers are targeting and how - has recorded a 250 percent surge in attack traffic in the first half of this year, compared with the second half of 2018.
Of the 2.9 billion attacks logged by the honeypots in that time frame, 2.1 billion targeted TCP ports. Of these, more than 760 million attacks - or 26 percent - targeted telnet, which is mostly used by IoT devices.
Attacks targeting SSH accounted for 456 million attacks. They mainly involve "brute-force password attempts to gain remote access to a machine, but also IoT malware," F-Secure says (see: Mirai Botnet Code Gets Exploit Refresh).
Attempts to exploit Windows for server message block via port 445 comprised 556 million attempted exploits by attackers wielding such exploits as EternalBlue, with WannaCry still showing up as one of the most prevalent types of malware seen by F-Secure. "The high level of SMB traffic is an indication that the Eternal family of exploits, the first of which was used in the devastating WannaCry ransomware outbreak of 2017, is still alive and well, trying to ravage millions of still-unpatched machines," the F-Secure researchers write (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).
Another 611 million attack attempts seen by F-Secure targeted the Universal Plug and Play, or UPnP, protocols that ship enabled by default on numerous devices via port 5000.
These findings carry some caveats. "Because honeypots are decoys not otherwise meant for real-world use, an incoming connection registered by a honeypot is either the result of a mistake - someone typing in a wrong IP address, which is rather uncommon - or of the service being found during an attacker's scans of the network or the internet," according to F-Secure's report.
Also, attack attempts are not the same as exploits. "These are attempts; our honeypots are high-interaction, which means that they simulate a real victim up to a degree, but I would not count all of the cases to match an actual infection," says Jarno Niemela, principal researcher at F-Secure.
Even so, the rise of more than 250 percent in attack attempts from the latter half of 2018 to the first half of 2019 is concerning, and it's likely due to multiple factors. "The number of vulnerable IoT devices keeps increasing, and the information about how to abuse their vulnerabilities is getting more widespread," Niemela tells Information Security Media Group. "So yes, in a way, there has been a surge in criminal activity. But of course, it is hard to say just from the number of attacks whether there are actually significantly more actual people involved, as a single IoT worm can cause significant noise just by itself."
Automation Makes Hacking Easier
One hacking fact of life is that many of today's attacks are highly automated. Aspiring cybercriminals don't need to be code-writing geniuses. Instead, they can buy relatively inexpensive tools that handle many routine tasks. For anyone not in the know about how to run such tools, security experts say online user manuals and video tutorials will often fill in any gaps. Attackers can leave automated tools to run in the background or overnight, retrieve a list of sites or endpoints that their tools have managed to infect or gain remote access to and then decide how to proceed (see: Cybercrime Black Markets: RDP Access Remains Cheap and Easy).
In the case of the attacks recorded by F-Secure's honeypots, "99.9 percent of traffic to our honeypots is automated traffic coming from bots, malware and other tools," it reports. "Attacks may come from any sort of connected computing device - a traditional computer, malware-infected smartwatch or IoT toothbrush can be a source."
Changing Attack Point of Origin
Nearly half of all attack traffic seen in the first half of the year originated from systems in China, followed by the U.S., Russia, Germany, the Philippines, Ukraine the Netherlands and Brazil, F-Secure reports. The Chinese traffic represents a massive increase from the second half of 2018, when the country ranked ninth. Niemela says at least some of this surge can be explained by China simply having many more internet-connected devices now that attackers can potentially exploit.
Top countries targeted in the first half of 2019 were the U.S., Austria, Ukraine, U.K., Netherlands, Italy, Nigeria and Poland.
Malware Increasingly Targets Linux
Beyond IoT, F-Secure says that its regular anti-virus telemetry - gathered from consumer and business endpoints using its security software - found that automated attempts to exploit PCs with malware predominantly involved ransomware, with banking Trojans and cryptocurrency-mining malware also being common.
Mikko Hypponen, chief research officer at F-Secure, says one big attack shift in recent years has been malware targeting not Windows systems, but Linux.
Mirai Has Commoditized IoT Malware
A separate report released this week by Tokyo-based cybersecurity firm Trend Micro finds that for targeting IoT devices, Mirai malware not only dominates but has appeared to displace other contenders.
"There is now a very small incentive for malware writers to develop new IoT-infecting botnet code," Trend Micro researchers write. "Mirai has become the only code a would-be IoT attacker needs, which, in turn, stifled the creativity so to speak of cybercriminals in developing original malware. Most 'new' IoT botnets today are mere modifications of the Mirai code base."
But Mirai has continued to be modified, as F-Secure notes in its report (see: Mirai Botnet Code Gets Exploit Refresh).
"Mirai has recently spawned variants that are specifically engineered to infect enterprise IoT devices, such as wireless presentation systems and digital signage TVs," it says. "The expansion to enterprise [devices] allows attackers access to greater bandwidth connections than are available with consumer devices, affording them greater power for DDoS attacks."
Why Attackers Target IoT Devices
Trend Micro's report examines five cybercrime forums that target those whose principal language is Russian, Portuguese, English, Arabic or Spanish.
Researchers say their goal was to see what the cybercrime underground has to say about IoT devices. They found that chatter about IoT devices typically appeared driven by their being cheap and easy to exploit, as well as monetizable. "In general, IoT attacks are not made by professionals trying to subvert IoT infrastructure. Instead, they are made by typical old-time cybercriminals who have evolved into IoT attackers," the researchers say.
Devices discussed on cybercrime forums primarily included routers, webcams and printers, they found. "There were also tutorials on the inner workings of commercial gas pumps, including programmable logic controllers," they write. "PLCs are devices found in factories and other structures with industrial machinery that enable complex equipment to be managed remotely. Along with mere tutorials, we also saw tools for discovering and exploiting online devices, which were again mostly routers and webcams."
Hacked routers often get added to botnets, which provide on-demand computing power that attackers can rent to others, they found. Such botnets often get used for launching DDoS attacks, cryptocurrency mining or distributing malware.
Access to hacked webcams tends to be on a subscription basis as well as thematically organized. "The most prized streams are bedrooms, massage parlors, warehouses and payment desks at retail shops," the researchers write (see: Hey, Webcam User: Cover Up!).
Attackers are also using hacked routers "as exit nodes of a VPN network that criminals sell as a service to other criminals," often advertised as being home or office routers, the researchers say.
Safeguarding IoT Devices
F-Secure's Niemela says his company's research highlights how unpatched IoT devices remain easy prey for automated attacks. So the devices must be factored into every organization's information security policies, practices and procedures - including patch management and defenses. That includes ensuring that no devices get deployed with any default passwords still intact.
"Due to the current massive interest in easy targets for attackers, it is absolutely vital that there are no unpatched devices connected directly to internet," he says. "All IoT devices, copiers and internet-enabled devices need to be put behind an IoT-aware firewall and mobile devices such as phones, tablets and laptops need to have a proper protection installed."