Dark Reading on a new Mirai botnet variant OMG which aims to turn infected IoT devices into proxy servers as a potential method for generating income:
“One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals,” Fortinet said in a blog post this week. Proxies give cybercriminals a way to remain anonymous when carrying out malicious activity like cyber theft, or breaking into systems.
“Adversaries could also spread multiple attacks through a single source. They could get around some types of IP blocking and filtering,” as well, according to a Fortinet spokesperson.
OMG uses an open source tool called 3proxy as its proxy server. For the proxy to work properly, OMG includes two strings containing a command for adding and removing certain firewalls rules so as to allow traffic on two random ports, Fortinet said. OMG also packs most of the functionality of the original Mirai malware, including the ability to look for open ports and kill any processes related to telnet, http, and SSH and to use telnet brute-force logins to spread, Fortinet said.
When installed on a vulnerable IoT device, OMG initiates a connection to a command-and-control server and identifies the system as a new bot. Based on the data message, the C&C server then instructs the bot malware whether to use the infected IoT device as a proxy server or for DDoS attacks – or to terminate the connection.
According to Fortinet, OMG is the first Mirai variant that incorporates both the original DDoS functionality as well as the ability to set up proxy servers on IoT devices.
Attackers are always creating new ways of leveraging their malware toolset. This is a pretty interesting use-case and probably not likely one attractive to most actors. Nonetheless, although a novel use of Mirai, it is just as dangerous as its predecessors and therefore needs to be properly eradicated before it causes any major damage.
Motherboard reports on vulnerabilities discovered in globally used software for controlling gas pumps:
The vulnerabilities would allow an attacker to shut down fuel pumps, hijack credit card payments, and steal card numbers or access backend networks to take control of surveillance cameras and other systems connected to a gas station or convenience store’s network. An attacker could also simply alter fuel prices and steal petrol.
Ido Naor, a senior security researcher with Kaspersky Lab, and Amihai Neiderman, a former researcher with Azimuth Security, discovered the vulnerabilities after the computer screen on a gas pump in Israel crashed one day last June as Naor was filling his tank and exposed a local IP address. The system turned out to belong to an Israeli company named Orpak Systems, which makes fuel-management software. Orpak’s system is used by commercial gas stations in Israel as well as by the military and large corporations to track gas consumption for their fleets of vehicles, to ensure employees and soldiers aren’t siphoning gas from work vehicles to fuel personal ones.
But Orpak, which makes both RFID vehicle-tracking systems and fuel-management systems, doesn’t just sell its systems in Israel; its software is installed in more than 35,000 service stations and 7 million vehicles in 60 countries, according to marketing literature. And last year, Orpak was acquired by Gilbarco Veeder-Root, a large North Carolina-based maker of gas pump and point-of-sale systems for convenience stores in the US and elsewhere.
As the article notes, if stations are networking the pumps because they are geographically separated, there is a strong chance the vulnerable pumps may be located on Shodan.
A new massive IoT botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time.
The botnet has reportedly already infected over 280,000 IP addresses in just 12 hours, enslaving hundreds of thousands of home routers by exploiting a recently discovered zero-day vulnerability.
Satori, which reportedly means “Awakening” in Japanese, is actually the infamous Mirai botnet’s successor.
According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm.
Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw.
Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month.
Drew reportedly warned that Satori botnet’s operators could launch an Internet-crippling DDoS attack at any time.
DJI, one of the leading manufacturers of consumer and commercial drones sold in the United States, has been accused by US officials of “Providing U.S. critical infrastructure and law enforcement data to the Chinese government.”
DJI notes, for example, that it does not force its customers to upload their flight videos to the company’s servers, and that it has access to only those videos that its customers have actively sent to the firm’s equipment.
While China-based DJI is a dominant player in both the commercial and consumer drone markets in North America, the government accusation focuses on commercial drones – not consumer drones; it is not clear whether that is because the government does not believe DJI is sharing consumer drone data, or because commercial drone data sharing is likely a far bigger national security risk.
The current controversy over DJI comes just months after a similar controversy arose with US government officials accusing cybersecurity product vendor, Kaspersky Lab, of providing data to the Russian government.
The memo notes that “The Chinese government is likely using information acquired from DJI systems as a way to target assets they are planning to purchase. For instance, a large family-owned wine producer in California purchased DJI UAS to survey its vineyards and monitor grape production. Soon afterwards, Chinese companies began purchasing vineyards in the same area. According to the SOI, it appeared the companies were able to use DJI data to their own benefit and profit.”
Bottom line: do not buy anything from DJI ever again.
Mirai, the Internet-of-things malware that turns cameras, routers, and other household devices into potent distributed denial-of-service platforms, may be lying low, but it’s certainly not dead. Last week, researchers identified a new outbreak that infected almost 100,000 devices in a matter of days.
Over a span of 60 hours starting on November 22, the new Mirai strain was able to commandeer almost 100,000 devices.
As the underlying CVE-2016-10401 vulnerability description explains, affected ZyXEL devices by default use the same su, or superuser, password that makes it easier for remote attackers to obtain root access when a non-root account password is known.
The recently discovered Reaper botnet is significant because it doesn’t rely on passwords at all to spread. That raises the specter of outbreaks that infect devices even when owners or service providers have taken the time to change default credentials.
If the addition of two default credentials can recruit almost 100,000 new devices in less than three days, attackers likely have plenty of other ways to take over IoT devices in mass quantities.
IoT security vulnerabilities are going to continue to cause major problems for the Internet until countries enact minimum security baseline requirements. Consider we are expected to have 20 billion IoT devices online by 2020. If we continue to allow IoT manufacturers act like this is the wild west, things are only going to get exponentially worse.
In Japan, telecommunications companies are working to identify infected devices to prevent them from being used in cyber-attacks.
Cyber-attacks often involve IoT equipment, and financial firms are frequent targets.
In one example in Japan, more than 600,000 pieces of IoT equipment were held to ransom.
Hayato Sasaki, an expert at the Japan Computer Emergency Response Team Coordination Center, says Japanese firms are experiencing a global problem.
He says infected IoT equipment has been used in large-scale cyber-attacks overseas, and now Japan is a target. Sasaki urges communication carriers, equipment manufacturers, and the government to work together to strengthen IoT equipment and make it safe.
IoT device manufacturers bear the brunt of this effort. They need to start taking cyber security seriously, and rather than rushing to market, these companies need to take time to implement strong security in their IoT solutions.
I highly doubt that will happen unless the government steps in to mandate a baseline set of IoT security standards.
This isn’t just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.
BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices.
The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.
“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.
By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.
The hack would allow someone to remotely administer a fatal drug dose to patients.
Although the video demonstration, conducted at the Blackberry Security Summit in New York, doesn’t identify the model and brand of the pump being attack, security researcher Billy Rios says it’s the Lifecare PCA drug infusion pump made by Hospira, an Illinois-based firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
Rios knows this because the demonstration is using vulnerabilities he uncovered in several models of drug infusion pumps made by Hospira—the PCA, PCA3, PCA5, Symbiq, Plum A+, and the Plum A+3.
The framework calls for IoT makers to have the ability to fix bugs quickly and reliably via remote updates or other notifications to consumers — or even device replacement, if needed. And that item comes with this caveat: “It is recognized that some embedded devices’ current design may not have this capability and it is recommended such update/upgradability capabilities be clarified to the consumer in advance of purchase.”
Time is another factor with IoT devices. Networked thermostats, garage-door openers, and other in-home devices change hands when the house does, but the former residents could still have access. And what happens after a warranty expires on smart device and there’s a breach, Spiezle says.
“We talk about not just security, privacy, and disclosure of the data that’s collected, but also the lifecycle issues. How do they support [these devices] over time and beyond the warranty,” he says.
The working group plans to finalize a formal IoT framework — which includes some 22 minimum requirements plus a dozen optional additional measures — and program around mid-November, after gathering input from Congress, the White House, Federal Trade Commission, and other entities.
Interestingly, Intel, a company championing IoT, was absent from this working group.
This is the one of the most dramatic demonstrations to date of the cybersecurity challenges that will accompany the growth of the Internet of Things (IoT). And, it offers an opportunity to make some broader observations about the changing landscape of cybersecurity as systems become increasingly connected and decentralized.
Here are five takeaways on the Security of Things (SoT) that designers—as well as companies building products for the cybersecurity market—should keep in mind as they build increasingly complex and connected systems:
1. Connectivity has outpaced security
In the rush to increase connectivity, manufacturers—and not just vehicle manufacturers –are often giving insufficient attention to the additional security exposures created when complex systems become increasingly linked. More connections mean more pathways and back doors that could be exploited by a hacker—especially when a system’s own designers may not be aware that those pathways and back doors even exist. To address this, designers need better tools to enable them to fully understand all of the ways that information will be able to move around a complex, dynamic, distributed system.
This is just one of the five, with all being well thought out. Internet of Things vendors need to consider a lot to keep the world safe in the coming era where device connectivity will be a requirement rather than a feature. As IoT overtakes traditional computing, the attack surface is going to increase exponentially, whereby every device – such as your refrigerator, toaster, washing machine, etc. – becomes a potential vulnerability waiting to be exploited by malicious actors.
“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”
The SmartThings hub had the least serious vulnerability as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server.”
As the Internet of Things evolves over the course of the next few years, expect to see a lot more vulnerabilities exposed as the manufacturers creating these devices are not including security in the design stages of their products. IoT increases the cyber attack surface and will be a huge platform malicious actors – likely cyber criminals – will attempt to leverage to gain access to private data for nefarious purposes.
Most breaches will target existing information technology and network infrastructure, the U.K. research and analytics firm said. While attacks on mobile devices and the Internet of Things are being reported at an increasing rate, the number of infected devices is minimal compared to more traditional computing devices.
“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” the report’s author James Moar said in a news release. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack.”
“With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools,” he added.
There currently is not a strong financial motive for criminals to attack the Internet of Things – aka IoT – but that does not mean one will exist in the future. We, as an industry, need to get out in front of this quickly before that motivation is found.
A report issued today by the US Department for Homeland Security says that in 2014 the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 245 incidents reported by asset owners and industry partners.
The energy sector, says Jeremy Cowan, led all others again in 2014 with 79 reported incidents, followed by manufacturing at 65 and worryingly healthcare at 15 reported incidents. ICS-CERT’s continuing partnership with the Energy sector reportedly provides many opportunities to share information and collaborate on incident response efforts.