IOT Security : Trend Analysis

Here, we come up with a most interesting summary of a highly trending topic in Cyber Security - "IOT Security". All devices and networks connected to the Internet form the gamut of IOT. Gartner estimates a 43% increase in IoT devices coming online in 2016. Since, the idea of networking appliances and other objects is relatively new, security was not considered as part of the product design.

Let's take a look at the security issues trending in the IOT space observed in the span of last 6 months.

1) New protocols (Eg. NTP) are used for DDOS (Never knew Time would be used to perform a DDOS attack?)

2) China, Russia, Ukraine, Brazil, and India are the top 5 sources of origin who perform these DDOS attacks.


3) China leads telnet bruteforce scans hunting for IoT devices with default passwords configured.

4) China, followed by Russia, Romania, Brazil, and Vietnam are the most likely locations for Command and Control (C&C) servers.

5) Around 2,174,216 telnet bruteforce scans were observed in last 6 months sourcing from 5,43,819 IP addresses.

6) Telnet scans have increased 140% year over year from July 2015

7) 50% of Telnet attacks were generated from top 13 ASNs

8) Around  6,293,889 SSH bruteforce attacks were observed in last 6 months from 28,616 IP addresses.

9) 92 ASNs comprise 2.1+ million Telnet brute force scans of which four of them are China telecom which comprise of 57% of the total Telnet scan.

10) The top 24 attacking ASNs (contribute >1% individually) combine for a total of 67% of the total attacks.

11) IOT Botnets using more than 52,000 IP addresses were DDOSing from multiple sources port (like port 53, 20000-60000) to fixed common destination port tcp 80.

12) SYN flood on port 80 is also performed with around 2.3 Gbps traffic.

13) 70% of the attacks are not originating from a spoofed source IP address.

14) The attack strategy used is as follows :
    a) Scan for IOT devices which have telnet enabled.
    b) After successful authentication via a bruteforce attack, attacker tries to identify the host's architecture and download the appropriate pack from the CnC server.
    c) Attempts to kill other additional rootkits already present or malware present on the compromised host.
    d) Connects to CNC using commonly used IRC channel.

The blessing and curse of IoT devices is that they are stateless devices which gets reboot under stress. This means their ability to launch attacks is very limited, but once re-infected and they can be leveraged all over again. So the next question to ponder upon is - How many IOT devices have their management ports available online and configured with vendor default passwords ?

All credits to :- F5 LABS THREAT ANALYSIS REPORT

A botnet with IOT devices discovered !!

Soon after the public disclosure of the Shellshock bug, researchers had detected BASHLITE malware. This BASHLITE malware includes code from Shellshock exploit and it was used in the wild to run DDOS attacks. It had the ability to infect multiple Linux architectures, hence, attackers used it to target IoT devices.

Recently, researchers from Sucuri discovered a botnet composed of millions of CCTV devices used to launch DDoS attacks against websites. It was observed that the BASHLITE source code leaked in 2015 was used by malware developers to create their own variant.

This botnet includes :
95% - Digital Video Recorders (DVRs) or cameras
4%  - Routers
1%  - Linux servers

This helps to conclude that the composition of attacks through IoT devices has drastically increased compared to DDoS through compromised servers and home-based routers. A large percentage were found to be located in Taiwan, Brazil and Colombia. Bots were using white-labeled DVRs described as “H.264 DVRs” manufactured by Dahua Technology.

When you paid your ransom and lost your data too !!

According to a new study from Trend Micro, they observed that 1 out of 5 UK firms end up paying ransom and never get their data back too.

Some stats from the study in UK are :

20%   - companies reported ransom of £1000
24 hrs - deadline given to pay the ransom
26%   - believed that the data encrypted wasn't valuable.
33 hrs - spent on a average to fix the problem
37%   - companies worried about being fined if data were lost, so paid up ransom to get the data back or prevent disclosure.
44%  - UK firms have been infected with ransomware atleast once in last 2 years.
£540  - Average amount of rans
om requested
66%  - refused to pay and don't bargain too
60%  - companies were able to retrieve data from backup files
79     - new ransomware families found in 2016
300   - IT managers were polled for the study

Malware in Word files found..!! What should you do?

There would be hardly any person in this globe who doesn't use Microsoft Word. It is omnipresent. Students use for their academic activities whereas the corporates live in these Word files the whole day.

Cybercriminals have been using "Macros" within Excel, to push in malicious code into documents. It's one thing to ask people to download an unrecognized file such as .Raw or .exe in an email, its an another thing to embed malware within trusted MS word documents.

In a recent attack, it was observed that the hidden lines of Macro code can route the target's web traffic through a proxy server, which allows an attacker to intercept all the network traffic on the proxy. An attacker than steal all the usernames and passwords very easily.

In order for an attacker to trick a user to open such emails, he social engineers the victim and impersonates himself as someone else. Hence, the message seems to appear from a very close trustworthy entity or complete strangers asking you to check out the Word file.

Things to do :

1) Check for email sender's authenticity :
Cybercriminals use official logos and email addresses which make it appear very legitimate and assume that it came from the real company. However, do not be in a hurry to open such a file, do a quick search and contact the company first through other channels.

2) Don't blindly click on "yes" to permission requests :
When your computer detects these malware within tweaked files, it will often give a pop up asking for permission before executing it. If you see a "Yes" and "No" option, do not blindly click on "Yes". This may cause the malware to override all the security controls in place and run with elevated privileges. So, double check and if you sense doubt, click "No".

Last.fm Hacked !! 43 million passwords leaked.

Your account is not far away from being compromised if you love to listen to music and you had an account of last.fm

The data breach actually took place on March 2012. Last.fm even accepted about the incident 3 months after the hack and requested all its users to change their passwords.

The stolen data has been surfaced in public after 4 years and now it has been brought to notice that the leak was huge. It contained around 43,570,999 user records which includes usernames, hashed passwords, email ids, user registration date, etc.

Lat.fm stored its users’ passwords using MD5 hashing without salt. MD5 is known to be vulnerable to hash collision attacks, which means that two different text may generate same hash values at some point of time. Due to unsalted hash values, it just took around 2 hours to crack around 40 million passwords.

Here, are some stats of the passwords :

1) 255,319 people used the phrase 123456
2) 92,652 used 'password' as password
3) Almost 67,000 used 'lastfm'
4) Around 64,000 used 123456789
5) 46,000 used 'qwerty'
6) Almost 36,000 used 'abc123'

Rambler.ru in trouble !! 98 million plaintext passwords hacked

Russia's email provider and internet portal rambler.ru has become the latest victim of a cyber attack. The attack dated back to 2012, but the internal database of the customer's were leaked online recently. This data included usernames, email addresses, ICQ numbers, passwords and social account data. All the data was found to be stored in clear text in their database.

It is claimed that Rambler.ru is the most visited website in Russia and is one of the largest sites of the world. The most common passwords used by Rambler.ru users, includes "asdasd," "123456," "000000," "654321," "123321," or "123123." Rambler.ru is the latest victim to join the list of "Mega-Breaches" revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox, were exposed online.

Users are advised to change their passwords for Rambler.ru account as well as other online accounts immediately, especially those using the same passwords