For some time threat actors who create Internet of Things-based botnets have been relying on brute force attacks to take control of and build chains of devices for delivering malware or distributed denial of service attacks.
But according to a report out today from Netscout, as more secure IoT devices are being installed hackers are also adding a new takeover strategy: Exploiting vulnerabilities in the devices.
“In November our honeypot observed several older IoT vulnerabilities being used as a means to deliver malware,” says researchers in a blog. “Our data indicates it takes less than one day before a new IoT device is hit with exploitation attempts against known vulnerabilities.”
By comparison, it can take as little as five minutes after an IoT device is connected to the Internet and it will be subjected to brute force login attempts using default IoT credentials. Still, vulnerability attacks can pay off becuase of the difficulties and slow cadence of patching IoT devices.
One factor that helps attackers is that IoT devices often sit on a distributor’s shelf for a while before being sold and installed on a network, say researchers. If a security update is released for the device it won’t be applied until the patch team updates it — assuming it is updated.
As evidenced the blog notes that in November its honeypot detected a number of attempts to exploit older IoT vulnerabilities to deliver variants of the Mirai botnet to devices.
“As the rate of patching IoT devices is done at a glacial pace, these older vulnerabilities are still leveraged by IoT botnets due to their level of success,” say researchers. “The continued use of these tried and true vulnerabilities highlights “what is old is new” when it comes to IoT botnets.”
Due to the sheer number of IoT devices connected to the internet, finding vulnerable devices is easy and quick. Add to the mix the large delta of when a vulnerable device is “turned on” and when updates for security vulnerabilities are applied, and attackers can quickly amass large botnets. In most cases these botnets are immediately conscripted into a DDoS army. It doesn’t take a significant amount of effort to create a large IoT botnet and create havoc, as we saw with the DDoS attacks conducted by Mirai in 2016.