For the past few years, IoT botnets have set new standards in DDoS attacks. From the notorious Mirai incident in September 2016 that broke the US Internet to ' 'GitHub's record-breaking 1.3 Tbps attack in 2018, cyber-criminals have been constantly trying to outdo themselves. And vulnerable devices in the Internet of Things are surely lending a helping hand. The role of the Internet of Things (IoT) botnets in denial-of-service (DDoS) attacks has been increasing steadily in the past few years.
Botnets have been an issue for a very long time, and they are continually evolving. As the IoT ecosystem becomes more complex, threat actors use the new technologies and platforms for their nefarious purposes.
Unfortunately for the IoT Industry, some of the companies building them seem to make the same mistakes, ignoring the security aspect and proper software development. In 2019, the number of active IoT devices reached 26 billion, and by 2025 that number is expected to reach 75 billion. It's three-fold increase which means only one thing for hackers: more vulnerable endpoints ready to be taken over and used in DDoS attacks.
One of the latest examples of such a botnet is called the dark_nexus IoT ,and it was discovered by Bitdefender It's designed with a sole purpose, and that's to offer regular users and sophisticated bad actors alike a platform to launch attacks all over the world, with minimal effort.
DDoS attacks have taken place almost for more than 25 years, but the problem has been growing steadily. While the goals of the early attackers were not necessarily malicious -- they were just doing it because they could -- the practice of DDoS-ing companies and services morphed into a lucrative business usually run by criminals.
The first attacks used zombie PCs, which were basically infected PCs that redirected and sometimes, amplified traffic when the master would send them commands. Modern PCs are a little more challenging to infect and control, but zombies still exist. The exponential increase in the number of IoT devices gave attackers a new vector and a new platform to control.
In 2018, there were an estimated 20 billion IoT devices deployed in the world, and that number is expected to jump to about 50 billion by 2030. That means that IoT botnets will only get larger and more powerful.
Security in IoT
If there's something that everyone agrees on when it comes to IoT devices is that security is lacking, and that's a generous description. One of the biggest issues is market fragmentation, with numerous platforms and architectures readily available to any company that wants to make a new IoT device. Unfortunately, that means security is an afterthought.
Most of the time, companies choose to focus on design, marketing, and pretty much everything else before security. Even after products reach the market, the makers of some IoT devices don't provide support, don't implement patches to fix vulnerabilities, or simply abandon them entirely.
While this is not necessarily common practice, it's still widespread enough to give criminals access to vulnerable platforms that can be integrated into a botnet and used in DDoS attacks. And with billions upon billions of devices running at any given moment, there's never a shortage of victims.
dark_nexus is evolving with the market
The dark_nexus IoT botnet is the newest one discovered by Bitdefender, and it certainly won't be the last. But it also shows that the business model governing the malware used to infect devices is changing along with the market. The incentive is, of course, financial: botnets are either rented to interested parties or the source code for the malware used to control IoT devices is sold for a profit.
Like most software, its makers need to keep updating it to stay ahead of the curve and to keep it relevant. Each new generation of devices comes with new hardware, fixes some security problems, or adds new functionality, so the attackers have to adapt quickly.
A telltale sign that dark_nexus is really profitable is that it's continuously upgraded, with over 30 versions in the last three months. It's also one of its strengths, along with a feature that provides the botnet with a set of prerequisites to ensure growth.
Most IoT devices run their apps exclusively in RAM, and any changes made to the operating system don't survive a reboot. When a bot-master looks for devices that can be compromised, it connects to the device and issues reboot commands so that other possible bots running on the device are automatically removed after a reboot. But dark_nexus tries really hard not to be in the same position, so it uses a scoring system that grades the existing process and decides which one to kill and which to keep, adding them to a whitelist, so competitors won't be able to reboot the system.
And if you're asking yourself how this thing spreads, the answer is actually disturbingly simple. It scans IP ranges and uses a technique called credential stuffing on the Telnet service, which means it tries user names and passwords from an existing list until something works. This is possible because users sometimes don't change the default login credentials (or are not allowed to), or the Telnet ports are not closed when they are not in use.
Bitdefender found about dark_nexus by using honeypots, or hardware specifically designed to allow botnets to infect them. It's also a way to assess what the malware is doing and how it reports back to the Command & Control center (C&C).
Brute forcing the Telnet protocol is a technique used for a long time, and for good reason -- it works. In the first half of 2019, Bitdefender's honeypot telemetry showed that attackers compromised the Telnet port more than 7.73 million times. The other part of the equation is the human element, because those compromised IoT devices were instructed by C&C servers to perform over 196,000 attacks on various infrastructures and services, against Amazon, Comcast, and even Microsoft.
After an IoT device is compromised, it tries to disguise the traffic as innocuous browser chit-chat. Of course, detecting such activity inside the network requires special tools and software.
The botnet has been traced back to greek.Helios, a known botmaster that's been in the DDoS business for a long time. Dark_nexus is even promoted online for as little as 15 GBP/month (approximately $18.51) for 2,500 seconds of boot time and range up to 80 GBP ($98.71) per month.
Recent research identified an interesting trend in DDoS attacks, with smaller-scale operations accounting for more than 50% of all attacks worldwide. They are mostly directed at the gaming industry in an attempt to disrupt online matches.
Of course, other industries can still be a target. In 2016, an IoT botnet attack in the United States disrupted the Internet and took several Fortune 500 companies offline. It was impossible to estimate the losses suffered in that single incident. And that was four years ago. A similar attack today would have many more IoT devices at hand.
Nipping problems in the bud
The security of IoT endpoints can be tackled from two directions, and they're not mutually exclusive. Despite the lack of cohesion in security solutions embedded directly in the IoT hardware, it's possible to protect networks by using specially designed technologies.
For example, a smart router running home network security solution like the Bitdefender IoT Security Platform could detect anomalous behavior specific to DDoS attacks inside the network it controls, then stop them. Some security solutions would even give users details about vulnerable devices that need to be patched. This lets the owner know that the device they paid for is no longer in their control and take action. But the range of actions available to the user is often limited to rebooting the device, changing the credentials, or replacing the equipment entirely, which are not useful or elegant solutions.
A more elegant solution would be to solve the problem at the Internet Service Provider (ISP) level. This is still an area that needs work, and the sudden shift in working patterns for employees, as they move their work at home, prompts ISPs to take more drastic measures to strengthen security. It might be in the form of a smarter home gateway, or a new security feature that keeps users safe from DDoS attacks.
The implementation of the Bitdefender' IoT Security Platform at ISP level filters out many incoming issues, offering DDoS Protection and Exploit Prevention. An IoT botnet such as dark_nexus would have a difficult time deploying in an environment protected by these technologies.
The good news is that the adoption of our solution by ISPs doesn't require any hardware upgrades, and any new modules will work with existing technology. IoT botnets are not going to magically disappear overnight and ignoring the issue can't be the answer.
Many companies are already implementing security measures to deal with their own IoT devices, but that's only a small fraction of what's already available on the market and what's being used today. Dark_nexus shows what an attacker with the right financial motivation can do, but more importantly, it underlines an existing problem.
More specifically, DDoS-as-a-service is growing along with the IoT ecosystem, and it looks like even people completely devoid of technical skills now have access to sophisticated and powerful botnets that can deploy devastating attacks.
The user’s and ISP 's responsibilities are increasing, even if they don't know it yet. What was the job of a 'company's SoC (Security Operation Center), guarding against DDoS attacks as well, is now slowly moving into the ISP's backyard. And it turns out that they might not have the tools deployed to deal with this issue, which also happens to include the dark_nexus IoT botnet.