Move over Mirai and Persirai, there is a new IoT botnet in town – The IoT Reaper. This isn’t some Halloween prank, the IoT Reaper (also known as IoTroop) is “recruiting” IoT devices at an alarming pace and could potentially cause more damage than Mirai.
This botnet was recently discovered and reported by several cybersecurity research organizations (Check Point Research, Netlab 360). According to these organizations, thousands of IoT devices have been infected and millions more are vulnerable and in the line of fire. Common IoT devices such as cameras, routers and NAS (network attached storage) have a variety of vulnerabilities ripe for IoT Reaper. Some lack basic hygiene such as open telnet with no passwords, while others are susceptible to web injection vulnerabilities like directory traversal and parameter tampering.
Unlike Mirai, IoT Reaper doesn’t rely only on password guessing and brute-force techniques. Instead, it focuses on exploiting known IoT device vulnerabilities. Once a device is compromised, it fuels the growth of the botnet by scanning local and public networks for a set of known vulnerabilities to infect additional devices. In many cases, a reverse shell tunnel is established to the botnet command and control to circumvent firewalls and other network security controls.
While it’s early to assess the intentions of the threat actors behind this botnet, it is vital that organizations put in place appropriate risk mitigation and defense mechanisms before an attack strikes.
Risk Mitigation Strategies: Guidance for Forescout customers
- Inventory your IoT devices to gain a better understanding of your risk exposure. Forescout CounterACT® can help discover and classify your IoT devices by function, operating system, type, vendor and several other attributes. The latest CounterACT release takes our classification capabilities one step further and includes over 1,000 out-of-the-box device profiles. If you haven’t tried the new classification engine and taxonomy yet, consider upgrading to the latest CounterACT service pack.
- Forescout customers can also leverage the latest CounterACT Security Policy Templates to identify vulnerable IoT devices. These policies use CounterACT’s agentless assessment capabilities to detect Indicators of Risk and Indicators of Vulnerabilities that are being targeted by IoT Reaper. Forescout will continue monitoring the attack lifecycle and provide updated policy templates, if needed, as attack methods and exploits morph.
- Patch. Patch. Patch. Prioritize your patching efforts based on the IoT classification and risk assessment information from CounterACT. Firmware upgrades and patches are available from vendors of several impacted devices. For a list of impacted devices and associated CVEs (Common Vulnerabilities and Exposures), refer to Forescout knowledge base article 4856 (available for Forescout customers).
- Change default passwords to strong alphanumeric passwords (with special characters and longer length) that are more resistant to brute force attacks. This can often be accomplished during the patch/update process.
- Unless essential, ensure that these IoT devices are properly firewalled from public Internet access. Follow vendor guidance on secure deployment and hardened configurations; disable unneeded features, ports and services to reduce your attack surface.
- Use CounterACT to implement network segmentation policies and restrict IoT devices within separate trust zones. Ensure devices only have access to the resources they need to reduce your attack surface.
Forescout will continue monitoring the threat landscape and provide further updates as needed.