CyberWire Daily - Luring IoT botnets to the honeypot. [Research Saturday]
Episode Date: January 19, 2019Researchers from Netscout's ASERT team have been making use of honeypots to gather information on rapidly evolving IoT botnets that take advantage of default usernames and passwords to gain access and... take control of unprotected devices. Matt Bing is a security research analyst with Netscout, and he guides us through their findings. The original research can be found here: https://asert.arbornetworks.com/dipping-into-the-honeypot/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
This really all started about two years ago now.
That's Matt Bing. He's a security research analyst with Netscout's ACERT team.
The research we're discussing today is
titled Dipping into the Honeypot. In late 2016, with this botnet called Mirai, and Mirai is a
Japanese word that means the future. And in many ways, we're living in that future right now.
What caught everybody's attention in 2016 was that the Mirai botnet was responsible for these
really big DDoS attacks, in particular attacks against Dyn that brought down several of the DNS services
for several major organizations.
And what made Mirai really unique, besides the DDoS firepower behind it,
was that it targeted these Internet of Things or IoT devices,
basically these small underpowered computers that people use for things like video camera recorders. Essentially what they are is really just these small underpowered
Linux boxes that are really good at being on the network and being able to generate
network traffic, which makes them ideal for using them for DDoS. But what made Mirai unique
was that the way that it spread itself, the way it propagated to other IoT devices, was via brute forcing these Telnet usernames and passwords.
So Telnet is like a very sort of antiquated remote administration tool, sort of like SSH, but unencrypted.
But it's not the fact that it's unencrypted that made IoT targets particularly attractive to Mirai.
It's that these IoT devices sometimes will have hard-coded usernames and passwords set by the manufacturer
that would allow anybody that knows that username and password to be able to essentially get a Unix shell.
So what Mirai did is basically just scan the internet for these IoT devices that had Telnet listening.
And it had a list of 60 usernames and passwords that if it found an open Telnet service, it would go through these 60 usernames and passwords, try to log in.
And if it's successful, it would download a copy of the Mirai binary, execute it, and then that device would essentially be conscripted in the botnet.
binary, execute it, and then that device would essentially be conscripted in the botnet.
And the botnet itself would check in with a command and control, and the command and control would tell it to launch a DDoS attack against this particular IP address or whatever,
and all the bots would simultaneously start attacking whatever the target was.
So the research here that we were really interested in is since Mirai really hit the scene in 2016, and perhaps more importantly, the threat actors behind Mirai released the source code to Mirai.
So basically anybody that had a modicum of technical skill could very easily build their own Mirai-like botnet.
I like botnet.
And that's kind of what we've seen a lot in the past two years as these IoT bots sort of evolve,
is that the threat actors are adding more and more usernames and passwords to different types of IoT devices to their bots to be more successful in propagating.
And they're also sort of shifting tactics a bit.
So instead of just using telnet brute forcing, they will also use exploits.
So for instance, if there's a vulnerability in the web management interface of a particular IoT device, we've seen several variants of Mirai that will leverage that exploit in order to propagate.
So this research here was really kind of born out of the fact that if you have a listener out there that
is just accepting connections from anybody via this telnet protocol, you can record what usernames
and passwords that the bots are attempting to try. So by having this network of honeypots that's
around the world, just so we don't have any biases for location, we're able to sort of see what
trends emerge and
what username and password combinations that these bots are actually trying to use.
Let's dig into some basics here before we get into the details.
I guess I should start by asking you to just describe, for those who may not know, what
exactly is a honeypot and how do you use it?
Sure.
So a honeypot is basically what we call a deception framework.
So in other words,
it's some code or program
that makes a particular device
appear to be vulnerable
when in fact it's not.
So for instance,
our honeypots will appear to be
a particular type of IoT device
and it will present a telnet prompt
just like a normal IoT device
would. If you guess the right username and password, sometimes we'll even let you log in with
what is essentially a fake shell to record the commands that are being sent. But of course,
we're not actually running those commands. We're just appearing to run those commands.
So from an attacker perspective, there should be no way for them to tell the difference between an actual IoT device and our honeypot.
So this way you're sort of gathering the tradecraft of the bad guys by making them think they're getting into a device when they actually aren't.
Exactly, exactly.
And for these bots in particular, these are automated programs that are trying to brute force these telnet usernames and passwords.
In other words, it's not somebody behind a keyboard necessarily.
It's a bot code that is actually trying to do the exploiting here.
So let's dig into some of the details here.
Can you take us through what exactly were you doing with these honeypots and what did you learn?
Sure.
So by recording all these usernames and passwords that the bots are trying to use,
Sure. So by recording all these usernames and passwords that the bots are trying to use,
really what we wanted to do is see how far along we've come since Mirai first hit the scene in 2016.
So I mentioned that the original Mirai had a list of 60 usernames and passwords that were attempting to log into our honeypot.
Which is really interesting because that means that the threat actors have taken the Mirai source code, the original one that was released in 2016, and they're adding to it.
They're trying to be more successful than their competitors.
to it. They're trying to be more successful than their competitors. Because say, for instance,
we're both botnet operators, and I happen to know a particular username and password that's used by one particular type of IoT device, I can infect those devices. Well, if you don't know
the username and password, you might not. So it's sort of an evolutionary race between these bots
to get the most bots in their botnet. We mentioned earlier that these username and passwords are often hard-coded
into these devices. Does that mean that
they can't be changed? In other words, if I'm the first bad guy
to an IoT device and I get access to it,
if another bad guy comes along, can they boot me out?
Is it the last person there gets to take advantage of it?
If I get in first, is there a way to keep other people from getting in behind me, I guess is what I'm getting at.
No, absolutely.
And that's actually one of the first things some of these bots do if they successfully hack an IoT device,
is they'll try to kill any other bots that might be running.
But a lot of times we don't necessarily see them try to change the default password, but
sometimes they will like kill the Telnet service so that it's not accessible by anybody else.
So while their bot is running, you know, no other bots can come in and try to kill them.
So yeah, it very much is a push and pull between the threat actors here.
Now, what are you seeing in terms of where these are originating? Are there
some usual suspects around the world? No, absolutely. So the top five countries that we saw
originate this activity from in September was Russia, China, Brazil, the United States,
and South Korea. And so what does that tell you? What can you draw from that?
We kind of extrapolate from
that. But what we can tell from that is that those countries happen to have more vulnerable IoT
devices that are accessible on the open internet. So we took that assumption and we tried to figure
out if we could tell what particular devices might be more popular in which country just based on the username and password
combination that they try. So if I'm bitten by a zombie and turn into a zombie, the chances are
that the zombie that bit me was also bitten by another zombie at an earlier time. So in other
words, if there's a particular bot that targets IoT devices that might be more popular in a certain country, we would assume that we would see more particular username and password
combinations coming from that country. So this is sort of the research that we
try to go into and sure enough we did see some pretty interesting trends that
we highlight in the blog. For instance, a really obvious one is that we see the
default username and password for some Huawei devices. We saw sources
from China attempting to use that combination more often than from other countries. And of course,
Huawei being a Chinese company, we would expect to see more of those devices in China than we
would in another country. Let's talk about some of the anomalous results that you got here. There
was one that caught my eye,
and I'm going to tread lightly here because it's a family show, but there was one that you mentioned
from Iran, and the username was mother, and the password was a word that begins with F and rhymes
with trucker. And this was a highly ranked username and password combination. And I guess that caught my eye because that doesn't strike me as the kind of thing that
a manufacturer would use as a default username and password.
No, no.
And that was pretty interesting because the combinations that we saw from Iran, there
was a whole five of them in a row that were sort of anomalous, like admin one and password,
the one you mentioned, and 54321.
And the answer is, I don't really know what the cause of that was, but we're speculating
that it could have been one particular type of bot that was more popular in Iran.
But you're right that those usernames and passwords probably aren't being put in there
by the manufacturer.
But these bots are pretty aggressive.
So in addition to trying the backdoor username
and passwords, they'll also try some pretty common ones like that, like admin 54321, for instance.
I see. So they're just using what are well-known popular combinations, because why not?
Yeah, exactly. It doesn't cost them anything to add a couple more usernames and passwords
to their list. So based on this research, what are your recommendations for folks?
What did you learn from this?
What are the lessons that people can take from this?
Well, I think it mostly comes down to the fact that these IoT devices are out there on the open Internet.
And what I mean by that is these IoT devices that are being infected with bots,
anybody can connect to them via a public IP address,
meaning that there's no firewall
or there's no home router
that is protecting these devices
from what is kind of the background traffic of the internet.
So for the home user,
I think the biggest piece of advice we can give
is make sure that these IoT devices
are put behind a firewall or home router or some
network filtering device that doesn't leave them just out on the open internet unprotected.
Now, what about for enterprise users? If I've got security cameras in my organization,
are there some basic steps I should be taking to isolate those?
Sure, yeah. It's essentially the same sort of thing. Make sure that any sort of administrative
interface, whether it's via Telnet or a web-based administrative interface, is not accessible
publicly. Make sure that it's restricted to only the subnets that you would want to manage them
from is probably the best piece of advice. And of course, keep your software up to date
for those IoT devices that support software updates.
Make sure that you keep those installed.
Yeah, it's an interesting dilemma because I know we see, for example, that California is pushing ahead with legislation that will make it so that you have to basically change a password.
The first thing you have to do when you interact with a new device is give it a new username and password to kind of try to get people away from these default usernames and passwords.
But at the same time, there are thousands, hundreds of thousands, maybe even millions of these devices that are out there, and they're not going anywhere anytime soon.
No, absolutely.
Even if we fixed all IoT security problems right now, there would still be millions of devices sitting on store shelves
that have not been properly secured.
It's really easy to sort of blame the vendor here.
And they have their own issues too.
I mean, a lot of these IoT devices
are cobbled together from pieces
from different hardware vendors
and sometimes even different software vendors.
So it's a really sort of complicated ecosystem.
And I honestly don't think that they expected to have this many devices be available on the public Internet.
And I think that that's sort of the core of the problem here.
Do you see any patterns in terms of, you know, if I go with a well-known brand of a device,
am I more likely to have better security from the get-go or the cheaper brands?
Something I buy for the lowest price on Amazon, is that likely to be less secure? Is there any
alignment there or is it sort of hit or miss across the whole spectrum?
Yeah, I would say it's a hit or miss across the whole spectrum. I mean, some of these vendors are
pretty big vendors that you would expect to sort of
have their ducks in a row and they don't. Yeah, it's interesting because I've seen even some of
these big names when you dig into what's underneath the hood, it's actually a rebranding of some
hardware or software that's being used in many, many different devices that are just being,
you know, different organizations are just slapping their name on the device,
but they're all coming out of the same factory.
Yep, exactly.
We see a lot of that between reuse of hardware and reuse of software.
And I think one other aspect that kind of gets lost here is that
if your IoT device is hacked and it's participating in a bot like Mirai,
like it's not really visible to the end user.
With attacks like ransomware, you ransomware that encrypt your files
and send a big flashing warning telling you to send Bitcoin,
you can easily tell that, yeah, okay, I have a problem here.
But if your IoT device gets hacked, say your webcam gets hacked,
there's really no indication to the end user that something is wrong.
Right, it's still functioning as a webcam.
It's doing the job that you bought it to wrong. Right. It's still functioning as a webcam. It's doing the job that
you bought it to do. Exactly. And it might not have these sort of security features to even tell
you if there's a problem. So where do you suppose we're headed with this? What sort of changes do
you suppose need to be made for us to be able to get a better handle on these problems? I think in
a very real sense, the IoT security landscape is where the regular IT landscape was in the 1990s.
Back in the 90s, some of the attacks that were successful were these default usernames and passwords, were these really simple vulnerabilities in web code.
And I think with impending legislation, like you said, from California, and there's very real attention to this, I think we're going to get better over time.
To me, the real bellwether will be when we start seeing memory corruption attacks being used to attack IoT devices.
I think that'll be a sign that things are getting better.
And what I mean by that is memory corruption attacks like buffer overflows. Those are sort of tricky to exploit.
They're very dependent on like the type of CPU that's in the device.
And I think when we start to see those memory corruption attacks, which I think we will,
I think that'll be a sign that things are getting better because there's really nothing
specific about IoT.
I think that that makes it attractive to these attackers.
The attackers we're seeing
really just want an army of bots to launch DDoS attacks. The fact that they're IoT might
help them a bit for reasons I said earlier about not having many security features, but
really I think they're pretty agnostic as to what their victims are. So if the IoT security
landscape does get better, I think maybe attackers might start to focus on the other low hanging
fruit, whatever that might be at the time.
Our thanks to Matt Bing from Netscout for joining us.
The research is titled Dipping into the Honeypot.
You can find it on the website of Netscout's ACERT team.
We'll have a link in the show notes. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Thank you.