What is an IoT Botnet?

Articles about unique bots and botnets occasionally break to the surface of the security news ocean.  Last week was one example, when a discovery by Bitdefender of the existence of “dark_nexus” was covered by Arstechnica, ZDNet and others.  This particular botnet is notable because it enslaves an unusually large and diverse group of unmanaged IoT devices (it was compiled for 12 different CPU architectures) and maintains persistence even after reboots.  Its IoT victims include routers from a range of manufacturers (Dasan Zhone, Dlink, ASUS) as well as video recorders and thermal cameras.

Earlier examples include the botnets formed by the “itsoknoprobblembro” malware that were used in attacks on US financial institutions in 2013.  Perhaps the most famous botnet to grab headlines is Mirai, the source code for which was used in the 2016 attack on Dyn that took out large swaths of the internet in the USA and beyond. The articles last week warn that dark-nexus could be a larger and more powerful IoT botnet than Mirai.

So what is a botnet?  Generally speaking, a botnet is a group of devices that have been compromised in some way, networked with each other, and then either used by their “commanders” or sold/rented on the darkweb to other threat actors in order to perpetrate various nefarious attacks.  Probably the most common attacks for which botnets are used are Distributed Denial of Service (or DDoS) attacks.  Other common uses for botnets are cryptomining and credential stuffing attacks.  DDoS attacks are simply campaigns that attempt to take websites offline by overwhelming them with more “hits” or http requests than the web server can handle.  The word “distributed” refers to the fact that the requests come from every corner of the internet as opposed to a single IoT device, desktop, or server.

The earliest DDoS attacks were typically waged by chaotic actors who simply coordinated with each other over message boards — they were distributed, but there were still humans behind each of the PCs or servers launching hits on webservers.  The attacks were launched mostly for fun or for some sort of political or cultural “cause.”   Later DDoS attacks, however, were almost exclusively powered by botnets.  The attacks on US banks in 2013, for example, were largely launched by “Command and Control” or CC servers that had enslaved thousands of servers in server farms worldwide, which made them an order of magnitude larger and more powerful than previous attacks — and thus, much more dangerous.

The Mirai attacks were in turn another order or magnitude larger than the 2013 attacks, because instead of enslaving servers they enslaved tens of thousands of IoT devices such as routers and CCTV cameras.  This set a disturbing precedent, as IoT devices are increasingly ubiquitous because they offer enterprises the ability to generate new sources of revenue, improve productivity, and lower costs.  IoT botnets, as last week’s headlines showed, are also inevitably ubiquitous.  And as mentioned above they are not used only for DDoS attacks.  There are actually very few limits on what threat actors can and will use IoT botnets for as they become more and more available.

Months before Mirai, CyberX’s threat intelligence team (Section 52) discovered the Radiation botnet. Targeting surveillance cameras commonly used in corporate and industrial environments, the Radiation malware was much more sophisticated than Mirai because it exploited a zero-day vulnerability in IoT devices rather than open ports and default credentials, as Mirai did. CyberX identified 25,000 Internet-accessible devices compromised by Radiation, and found that cybercriminals were using this massive botnet army to deliver DDOS-for-Hire services.

The Mirai attacks served as a wake up call for anyone running security in enterprise or industrial environments because security practitioners don’t want their IT or IoT networks to be unwilling participants or contributors to attacks that take any networks or servers offline, particularly those controlling critical infrastructure, banks, or the internet itself.  The challenge, particularly in the case of IoT devices and networks, is that IoT devices themselves are hard to protect because they cannot run agents, often use default passwords, are usually impossible to patch — and are invisible to IT.  The discovery of dark-nexus, therefore, is yet another wake up call — an espresso shot — for the good guys who were already awakened by Mirai.

What to do?  The solution is not an easy one and can often feel like playing a game of “whack a mole.” Fighting the botnets takes time, persistence, and fortitude.  But the fight, generally speaking, involves the following:

First, discover and classify all of the IoT devices on your network (assuming you have already done so for your IT devices).

Second, rank and mitigate the vulnerabilities in your IoT devices and networks, such as via patching and changing weak or default credentials  In the case of dark_nexus, for example, the attackers leveraged Telnet credential stuffing and known exploits to compromise IoT devices.

Third, segment IoT devices from other networks to make it more difficult for attackers to move laterally within your corporate networks.

Fourth, continuously monitor the traffic between those devices so that you can identify when and if they are behaving badly.

Finally, take action to stop devices that are doing bad things, such as automatically quarantining them whenever your monitoring solution detects they’ve been compromised.

Last week’s headlines are proof that threat actors will continue to target IoT networks. If you’re looking for some more specific guidance on how to protect your IoT devices and networks from threats — including botnets like dark_nexus — check out our Enterprise IoT Buyer’s Guide, which summarizes the risks posed by unmanaged IoT devices and outlines the key capabilities you need to build an effective IoT security posture.