Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets

Attackers looking to add IoT devices to their botnets are increasingly adding vulnerability exploitation to their attack arsenal, Netscout researchers warn.

Instead on just relying on a list of common or default passwords or brute-forcing attacks, they are taking advantage of the fact that IoT devices are rarely updated and manufacturers take a lot of time to push out fixes for known flaws.

Currently under exploitation

In November 2018, the company detected many exploitation attempts of these four bugs:

• CVE-2014-8361, a RCE that affects the miniigd SOAP service in Realtek SDK, publicly disclosed in April of 2015
• CVE-2015-2051, a RCE affecting D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
• CVE-2017-17215, a vulnerability in Huawei’s HG532e home gateway disclosed and patched in December 2017. (A proof of concept for it was published on exploit-db the same month.)
• CVE-2018-10561, a authentication bypass flaw affecting Dasan GPON home routers.

The vulnerabilities are being exploited by various attackers to deliver several Mirai variants (e.g., Satori, JenX, etc.).

Old and new vulnerabilities

“IoT devices sooner or later get patched, but not at the same rate nor priority which we see with operating systems. This makes the longevity and usefulness of IoT based vulnerabilities much longer and very attractive to botnet authors,” they shared.

Based on the data collected through their honeypot, it takes less than one day before a newly set up IoT device is hit with vulnerability exploitation attempts, and less then 5 minutes before login attempts using default IoT credentials are directed at it.

They’ve also noticed that there is a quick turnaround time from when a vulnerability is made public to when botnet authors integrate them into their botnet.

“We see a mixture of new and older IoT related vulnerabilities against out honeypots in a constant stream,” they shared, and explained that there are two main reasons why they still see exploitation attempts of older IoT vulnerabilities.

“First, IoT devices can sit on a shelf for weeks on end before being purchased. If a security update is released for the device, it won’t be applied to these devices until the software is updated. Thus, leaving the device vulnerable out of the box. Due to this, when an IoT device is plugged in, it can be exploited quickly,” they pointed out.

Secondly, IoT devices receive patches at a very slow rate.

“These devices are thought of as ‘set and forget’ type of devices. When’s the last time you updated your IP camera or cable modem?” the researchers pointed out.

They predict that the the trend of IoT vulnerability exploitation will continue in the coming year, as it’s easy to update botnet source code to add new exploits.

“Due to the sheer number of IoT devices connected to the internet, finding vulnerable devices is easy and quick. Add to the mix the large delta of when a vulnerable device is ‘turned on’ and when updates for security vulnerabilities are applied, and attackers can quickly amass large botnets,” they added.