TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

The Hunt for IoT: Multi-Purpose Attack Thingbots Threaten Internet Stability and Human Life

2018-10-24 · Read original ↗

ATT&CK techniques detected

21 predictions
T1071.001Web Protocols
90%
“been on the top attacking ip list for the two years prior. this consistency was our proof that “ things ” don ’ t get cleaned up, both because the devices typically reside in unmanaged and monitored networks, and they often can ’ t take firmware updates. it is encouraging that th…”
T1584.005Botnet
88%
“and isp companies that provide internet service to homes, small offices and building networks in which the majority of iot devices reside. once an iot device is infected, it is used to scan for other iot devices to infect — a distributed scanning model most thingbots adopt — and …”
T1584.005Botnet
84%
“global footprint. the challenge with dismantling a thingbot is that many infected iot devices are ( 1 ) not capable of taking firmware updates, ( 2 ) are owned or operated by people without the technical skills to secure them, or ( 3 ) exist within telecom companies that have lit…”
T1584.005Botnet
80%
“devices on its iot network. 13 building multi - purpose attack bots from “ things ” is popular in the attacker community now. script kiddies are learning to build bots from youtube videos and launching damaging ddos attacks. seventy - four percent of the thingbots we know about w…”
T1078.001Default Accounts
79%
“exploiting weak vendor default credentials. these devices act as out - of - band networks, creating network back doors, and have widespread use across the globe. loryka has been in ongoing disclosures with over 350 impacted parties, including us city networks, police departments,…”
T1584.005Botnet
72%
“mantis21 preys on wifi routers as well as android and ios phones, and conducts dns hijacks and mines cryptocurrency on compromised devices. - omni22compromises gpon home routers to use for crypto - jacking or ddos attacks. - upnproxy23 is sweeping up soho routers and installing p…”
T1584.005Botnet
70%
“of iot devices inside telecom networks. - ssh brute force is the number one attack type targeting iot devices, followed by telnet. - ip addresses in iran and iraq that we haven ’ t previously seen attacking jumped into the top 50 attacking ip addresses list. - all ( 100 % ) of th…”
T1584.005Botnet
68%
“can use it defensively within their own networks and look for indicators of compromise. as promised in the hunt for iot : the growth and evolution of thingbots ( volume 4 ), we have broadened the scope of attack data collected to include services routinely used by iot devices ( b…”
T1584.005Botnet
68%
“device. the red dots represent “ scanner ” nodes that search for other vulnerable iot devices in which to infect and grow the bot. the yellow dots represent the “ malware ” hosting systems where the latest updates can be fetched. figure 16 : global mirai infection map, june 2018 …”
T1584.008Network Devices
67%
“##ers, launching pdos attacks, dns hijacks, credential collection, credential stuffing, and fraud trojans. figure 3 : discovery of thingbots over the past 10 years by the type of attacks they launch the most common way attackers discover and eventually infect iot devices with the…”
T1584.005Botnet
65%
“virtually endless, and building thingbots is now popular. we expect the iot attacks we are watching to be building new thingbots and growing the size of thingbots already discovered. organizations need to be prepared for thingbot attacks by having security controls in place that …”
T1584.005Botnet
65%
“the attacker can launch any attack of choice. - jenx28 compromises soho routers and wireless chipsets from which to launch ddos attacks. jenx is a ddos - for - hire services offering 300gbps attacks for $ 20. 00. - hide ’ n seek29 compromises ip cameras. we don ’ t know what atta…”
T1584.005Botnet
64%
“##n owners of top 50 attacking ips the asn that launched the most attacks from these top 50 ip addresses is as56815, which belongs to farakam rayan kish co, an iranian telecom / isp provider. virtually all of the ip addresses on the list are identified in a shodan search as mikro…”
T1071.001Web Protocols
61%
“of the total attack traffic from q3 and q4 2017 to 9 % of the total attack traffic in q1 and q2 2018. poland ’ s and iran ’ s participation in q1 and q2 2018 was also noteworthy, considering both countries have only been on the top 10 list once in the past two and half years, bot…”
T1056.001Keylogging
52%
“russian operatives ’ activities and collecting their keystrokes. 4 you want privacy? get off the grid. governments are deploying ip cameras in major cities for surveillance, allegedly to improve public safety, but many believe they ’ re there just to spy on civilians. the entire …”
T1078Valid Accounts
47%
“sense given the number of mirai variants in the wild now. top 50 attacked ssh admin credentials we know iot devices are exploited remotely through weak administrative credentials — typically, vendor defaults. these systems are also susceptible to brute force attacks. because of t…”
T1584.005Botnet
40%
“ip cameras, things like your tv, oven, refrigerator, amazon alexa, siri and google assistant9, keurig coffee maker ( yes, we have attack traffic coming from a kuerig ), and toys10 have been breached and are used to spy, collect data, or launch attacks. iot is beating people in th…”
T1583.005Botnet
40%
“mantis21 preys on wifi routers as well as android and ios phones, and conducts dns hijacks and mines cryptocurrency on compromised devices. - omni22compromises gpon home routers to use for crypto - jacking or ddos attacks. - upnproxy23 is sweeping up soho routers and installing p…”
T1584.005Botnet
39%
“attacking ip addresses, q3 and q4 2016 figure 14 : industries of top 50 attacking ip addresses, q1 and q2 2017 q3 and q4 2017 ( shown in figure 15 ) was not a big period for hosting provider traffic, and neither was the most recent period of q1 through q2 2018 ( refer to figure 1…”
T1584.008Network Devices
38%
“a big - picture view of iot - targeted attacks around the world. table 1 : top 20 ports used by iot devices ssh port 22 brute force attacks are the # 1 attack type globally, followed by port 80 http web traffic, telnet, sip port 5060, and then the alternate http port 8080. iot de…”
T1498.001Direct Network Flood
30%
“the attacker can launch any attack of choice. - jenx28 compromises soho routers and wireless chipsets from which to launch ddos attacks. jenx is a ddos - for - hire services offering 300gbps attacks for $ 20. 00. - hide ’ n seek29 compromises ip cameras. we don ’ t know what atta…”

Summary

Businesses, critical systems, infrastructure, and even human life are more threatened than ever as attackers target the Internet-connected “things” that run the modern world.