Check Point uncovers IoT botnet bigger than Mirai

New gangs surreptitiously putting together IoT botnet similar to 2016's Mirai malware

Researchers at Check Point Software claim to have discovered an Internet of Things (IoT) botnet that, they claim, is even bigger than Mirai.

The botnet has already knitted together more than one million devices worldwide, compromising poorly secured connected devices, particularly IP wireless cameras and CCTV digital video recorders.

Called IoT_reaper, the botnet is similar to the Mirai botnet from 2016, which was responsible for a number of denial of service attacks last year.

IoT botnets are internet-enabled devices infected with malware and controllable from remote locations. According to the researchers, this botnet is an "entirely new and far more sophisticated campaign" compared to Mirai, and is expanding fast across the internet.

Originally discovered by Checkpoint in September, the botnet is exploiting vulnerabilities found in webcams, including devices offered by GoAhead, D-Link, TP-Link, AVTech, Netgear, MikroTik, Linksys, Synology and others.

Although the culprits are currently unknown, the researchers suggested that the attempted attacks come from a plethora of sources and IoT devices.

"Creating networks of infected devices is not a quick task for an attacker. In order to establish an effective Botnet, the attacker needs to be able to control a vast number of devices," the company wrote in a blog post.

It continued: "As sending the malicious code to each device individually would be a large and time consuming task, it is much easier to have each infected device spreading the malicious code to other similar devices themselves.

"This method of attack is considered a propagation attack, and is essential in quickly creating a large network of controlled devices. Our research began at the end of September 2017 after [we noticed] an increase in attempts to penetrate our IoT IPS [intrusion prevention system] protections."

Cyber security specialists at Netlab have also been investigating this botnet. They claim that while the botnet borrows code from Mirai, it doesn't crack passwords. Instead, it exploits known IoT device vulnerabilities.

While IoT_Reaper is still only in its early stages, it's fairly well-established, and Netlab has been tracking multiple command-and-control sources.

Mark Hearn, director of IoT security at digital platform security firm Irdeto, believes that the botnet is targeting popular (and cheap) internet-connected cameras.

"The discovery of a botnet bigger and potentially more dangerous than Mirai is alarming news for businesses and consumers around the globe. This discovery again shows the security weaknesses in IoT devices than can be harnessed by attackers for potentially devastating effects.

"The increased connectivity of IoT devices and ecosystems brings a much greater security risk that is being exposed time and time again. However, while organisations recognise the importance of this connectivity to meet consumer demand and maintain a competitive edge, today's connected world also assists in how botnets like this spread. With the cross-contamination of connected devices, threats easily cross boundaries of the connected home, the connected building, mobile devices and the enterprise. Gone are the days where protecting devices inside corporate walls is enough. As a result, security strategists need to think differently, factoring in the full IoT threat landscape and thinking like a hacker.

"To combat these threats, organisations must implement a multi-layered cybersecurity strategy that disrupts a hacker's business model, making it difficult to reverse engineer or tamper with software and exploit vulnerabilities introduced through connected devices. By creating a Secure Environment, organisations prevent changes to security software that may be exploited in cases like this. Even when a pre-existing vulnerability, like the backdoor account exploited here, allows a hacker to gain access to the device, they will not be able to put in place an effective attack. Any tampering will be detected and either blocked or automatically repaired."

The discovery of a botnet bigger and potentially more dangerous than Mirai is alarming news for businesses and consumers around the globe. This discovery again shows the security weaknesses in IoT devices than can be harnessed by attackers for potentially devastating effects.

"The increased connectivity of IoT devices and ecosystems brings a much greater security risk that is being exposed time and time again. However, while organizations recognize the importance of this connectivity to meet consumer demand and maintain a competitive edge, today's connected world also assists in how botnets like this spread. With the cross-contamination of connected devices, threats easily cross boundaries of the connected home, the connected building, mobile devices and the enterprise. Gone are the days where protecting devices inside corporate walls is enough. As a result, security strategists need to think differently, factoring in the full IoT threat landscape and thinking like a hacker.

"To combat these threats, organizations must implement a multi-layered cybersecurity strategy that disrupts a hacker's business model, making it difficult to reverse engineer or tamper with software and exploit vulnerabilities introduced through connected devices. By creating a Secure Environment, organizations prevent changes to security software that may be exploited in cases like this. Even when a pre-existing vulnerability, like the backdoor account exploited here, allows a hacker to gain access to the device, they will not be able to put in place an effective attack. Any tampering will be detected and either blocked or automatically repaired."