On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to meet the growing demand and to circumvent anticipated security controls.
The latest IoT botnet
Researchers have spotted the new IoT botnet Linux/IRCTelnet. In just five days, it infected 3,500 devices and features an old-school adaptation: using Internet relay chat (IRC) as the control structure. IRC is a very old technology based upon the original chat boards (before the World Wide Web). A decade ago many of the first botnets used IRC. It is not particularly difficult for security software to combat, and thus represents a curious choice by the attackers, whom I assume are not top tier (certainly not at the level of nation-states).
Linux/IRCTelnet is not based upon the popular Mirai IoT DDoS botnet software, but rather on Aidra code. Linux/IRCTelnet does, however, leverage the default passwords of IoT devices to gain control. It is the easiest path at the moment. Attackers will find other entries once that door closes, so do not imagine we can “solve” IoT security with the elimination of default passwords. It is just one chess move in a long game we are begrudgingly forced to play. Although this Linux bot is still new and small, it could hold the potential for more directed attacks and highlights how malware writers are working to differentiate their attack code.
More targets will arise
We already see a broad range of telecommunications, political, business, Internet infrastructure, and social sites being targeted. The latest is an attack against the national Internet access of Liberia. Access to the web has been spotty for customers, with attackers at times pushing more than 600Gb/second of data to choke the network. Most access is provided by the African Coast to Europe undersea cable, and these attacks could affect many other nations in West Africa that rely on this data pipeline.
What comes next?
Expect more entry-level botnets, many of which will eventually be supplanted by more professional malware. Thus far, most of the IoT botnets have been basic. This will change as more professional and well-funded players emerge.
Look for sophisticated attackers to do the following when they enter the fray:
- Patch or change the passwords of the victims’ IoT devices after infection, so others cannot take over their prey.
- Set up more sophisticated and concealed control structures to make it more difficult to track bot herders or interfere with their commands.
- Implement encrypted communications to the end nodes to conceal instructions, updates, and new targeting instructions.
- Begin exploiting vulnerabilities in real-time or standard operating systems on high-end devices to gain more functionality and persistence.
- Begin siphoning data from IoT devices, which can be valuable for many purposes, including extending attacks further into homes, businesses, and governments.
I predict the next phase of attacks on availability will begin right around the time the industry effectively addresses the default-password weaknesses. Then we’ll see confidentiality attacks, followed by integrity compromises. Brace for a long fight because IoT devices are highly coveted by attackers. This competition will be a major challenge.