TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

The Hunt for IoT: So Easy To Compromise, Children Are Doing It

2019-08-05 · Read original ↗

ATT&CK techniques detected

19 predictions
T1584.005Botnet
92%
“botnets. see the conclusion section of the hunt for iot volume 5 for a list of targeting opportunities with specific types of iot devices. cheap attacks, endless possibilities once malware is installed on the iot device, the bot will contact the c & c server and download its orde…”
T1584.005Botnet
85%
“’ s building and selling iot botnets now. and the market is flooded, which drives prices down. subscription plans for botnet services are going for as little as $ 5 a month. the screenshot in figure 11 ( discovered in one of the pastebin links after searching “ mirai source code …”
T1584.005Botnet
75%
“the ease of exploitation wasn ’ t bad enough, there are many search engines to help anyone ( researchers and attackers alike ) find devices exposed to the internet. shodan, zoomeye, censys. io, and wigle are the most popular when looking for iot. using these search engines, you c…”
T1584.005Botnet
73%
“the hunt for iot : so easy to compromise, children are doing it introduction in harry potter and the chamber of secrets, mr. weasley gives the advice, “ never trust anything that can think for itself if you can ’ t see where it keeps its brain. " 1 that is ever so true when it co…”
T1584.005Botnet
73%
“clue that young novices are operating botnets. the owari authors left their command and control ( c & c ) mysql database wide open ( port 3306 ), “ protected ” with both the username and password of “ root. ” 8 control of iot devices is a highly competitive market, where rivals c…”
T1110Brute Force
72%
“below is from dahua, a popular nvr manufacturers ’ wiki20 describing how to set up remote access. figure 3 : dahua nvr remote access guide. below is a screenshot from a third - party website sharing default credentials for swann ip cameras. 21 figure 4 : admin username and passwo…”
T1584.005Botnet
68%
“different ports. infected iot device types small office / home office ( soho ) routers, ip cameras, dvr, nvr, and cctvs are still the primary types of iot devices that get infected by thingbots. ip cameras, dvrs, nvrs and cctvs are all components of surveillance systems widely de…”
T1584.005Botnet
64%
“is discovering bots before they attack. in the past, the majority of thingbots were discovered through investigating attack traffic, which not only uncovered the bot but the attack types and infected devices. the fact that we ’ re discovering bots before they launch attacks and b…”
T1584.005Botnet
63%
“quarantine or retire any devices you already have that can ’ t be secured. protect yourself from the most common iot exploit paths : - disable remote management, restrict to a management network, or place behind a firewall. leverage nat at a minimum if the devices will be used in…”
T1584.005Botnet
63%
“has exploded since the mirai attacks both because of the popularity of the thingbot ( driven by publicity ), and the release of its source code. this popularity can be seen in the increase in the number of thingbots since the mirai attacks : 88 % of the thingbots we know about we…”
T1588.001Malware
61%
“##regional crime and justice research2said in 2012 that 61 % of hackers begin hacking before the age of 16. per nccu, in 2017, the average age of a cyber - crime suspect was 17 years old — in comparison to 37 for drugs, and 39 for fraud. 3 early interest in hacking isn ’ t novel,…”
T1584.008Network Devices
56%
“different ports. infected iot device types small office / home office ( soho ) routers, ip cameras, dvr, nvr, and cctvs are still the primary types of iot devices that get infected by thingbots. ip cameras, dvrs, nvrs and cctvs are all components of surveillance systems widely de…”
T1584.005Botnet
55%
“##5 - labs - v2 / en / labs / articles / threat - intelligence / the - hunt - for - iot - - multi - purpose - attack - thingbots - threaten - intern. html ) ). other notable changes include the reduction of scanner nodes across the us between december 2018 and june 2019. if you a…”
T1588.001Malware
54%
“celebrity played a part, which we can only assume motivated at least some of the copycat mirai thingbots that have followed. with so many mirai variants showing only minimal modification of the leaked code, we can only assume a lot of the threat actors building mirai clones are l…”
T1078.001Default Accounts
43%
“: new thingbot building campaign targeting instar cameras with known default credentials. distributed scanning for more targets typically, thingbots scan random ip ranges on command ports like telnet and ssh. upon a hit, they will begin brute forcing the login with a dictionary o…”
T1190Exploit Public-Facing Application
35%
“- 1121925 impacts iot systems using ilinkp2p software, which are vulnerable to a predictability flaw that allows attackers to discover and establish connections to the devices, followed by authentication flaw cve - 2019 - 1122026 that allows attackers to intercept traffic in clea…”
T1584.005Botnet
34%
“the continued emergence of new mirai variants is ensuring that this bot family is alive, as well. between december 30, 2018 and june 30, 2019, our data partner baffin bay networks saw very little reduction in mirai infections, despite mirai being the most infamous thingbot on the…”
T1583.005Botnet
33%
“botnets. see the conclusion section of the hunt for iot volume 5 for a list of targeting opportunities with specific types of iot devices. cheap attacks, endless possibilities once malware is installed on the iot device, the bot will contact the c & c server and download its orde…”
T1583.005Botnet
31%
“’ s building and selling iot botnets now. and the market is flooded, which drives prices down. subscription plans for botnet services are going for as little as $ 5 a month. the screenshot in figure 11 ( discovered in one of the pastebin links after searching “ mirai source code …”

Summary

This episode in The Hunt for IoT Volume 6 series focuses on the threat actors building IoT botnets, how easy IoT devices are to exploit, recent thingbot discoveries, and the status of Mirai infections worldwide.