Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
12/5/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

IoT Botnets Are Increasing Source of Malware on SP Networks

IoT botnets now make up 78% of the malware found on service provider networks, according to a new analysis by Nokia. These bots are being used for a wide-range of criminal activity, including cryptomining.

Botnets are increasingly making up more and more of the malware traffic found on service provider networks, with cybercriminals using these Internet of Things bots for a range of malicious schemes, especially cryptomining, according to a new analysis from Nokia.

Overall, botnets made up about 78% of the malware found on service provider networks in the past years, which is double the rate seen since 2016, when SPs first began observing these bots across their networks.

Additionally, IoT botnets now comprise 16% of all infected devices on these networks, a 3.5% increase from a year ago, according to Nokia. (See IoT Security Problems Can Cost Enterprises Millions.)

(Source: iStock)
(Source: iStock)

This look at how botnets and malware are changing communication service provider networks are contained in Nokia's Threat Intelligence Report for 2019, which the company released December 4. It's based on an analysis of network traffic, including 150 million connected devices, using the company's NetGuard Endpoint Security tool.

The analysis found that these botnets are used for a wide-range of criminal activity, including that ability to deliver cryptomining malware, with cybercriminals targeting high-end servers, smartphones and even web browsers. The report also noted that Android phones are the most targeted end device, accounting for about 47% of all infections.

Devices infected by botnets\r\n(Source: Nokia)\r\n
Devices infected by botnets
\r\n(Source: Nokia)\r\n

Windows PCs accounted for 35% of all malware infections, with IoT devices targeted about 16% of the time. The Apple iPhone remains relatively safe, accounting for less than 1% of all malware infections on these networks.

However, it's botnets that are increasingly seen as the growing threat, especially as more and more devices and sensors are hooked into the Internet and cybercriminals uses these bots to scan for vulnerable endpoints.

"The bots spend most of their time trying to spread. This involves scanning for vulnerable devices, attempting to exploit them and loading the malware onto the infected devices," Kevin McNamee, the director of the Nokia Threat Intelligence Lab, wrote in an email to Security Now.

"This accounts for the 78% of the regular daily malware activity we see," McNamee added. "The scanning activity accounts for most of it. This is a relatively recent phenomenon (since late 2016) and the increase has not been at the expense of other types of malware. It is mostly new activity. That said, residential and smartphone infections have dropped somewhat over the past few years, so the cybercriminal focus on IoT could be taking focus away from the more traditional Windows/PC and smartphone targets."

All of this malicious activity can be traced back to the original Mirai botnet, which was first released in October 2016. Since then, the source code that created Mirai has given rise to other bots, including Hajime and Satori. (See Satori Botnet Resurfaces & Targets Android Devices.)

Additionally, other, much more sophisticated botnets have been detected in recent years, notably VPNFilter, which appears to have backing from Russia. (See VPNFilter Is 'Swiss Army Knife' of Malware.)

Botnet family\r\n(Source: Nokia)
Botnet family
\r\n(Source: Nokia)

While Mirai was primarily used for creating distributed denial of service (DDoS) attacks, other botnets are designed for other schemes, notably cryptomining, which has been on the rise over the last year. (See Cryptomining Malware Continues to Surge as Cybercriminals Cash In.)

"The original Mirai was used exclusively for DDoS," McNamee noted. "Since then, these bots have evolved to monetize their DDoS activity by providing DDoS as a service. They have also been used for cryptocoin mining, information theft and credential stuffing. The suite of exploits used to compromise vulnerable devices has also greatly expanded."

In his email, McNamee noted that everyone within this IoT ecosystem is responsible to security, which can help cut down on the number of botnets infecting these different networks. For instance, device manufacturers need to build devices that can be managed and patched.

IoT operators need to take responsible for ensuring that connected devices are securely managed and that they operate within a system that uses strong authentication, data integrity and privacy. Network operators are responsible making sure that rogue devices do not threaten their network infrastructure.

Finally, the consumer at the other ends to need to make sure that their IoT devices, whether it's a smart TV, thermostat, speaker, home router or another endpoint, is from a reputable vendor that supplies some level of security.

However, McNamee noted that upcoming 5G networks will increase the amount of connected devices that people use every day, which make the potential for more frequent and much more intense attacks, such as DDoS, that much more likely.

"5G will also increase the bandwidth available to devices, again this will increase their effectiveness as elements in a DDoS attack," McNamee wrote. "Direct device to device communication will open up a whole new attack surface. Finally, if the 5G networks switch to using IPv6 (instead of IPv4 + NAT), it will increase the visibility of these devices from the public internet and make them more vulnerable to attack. 5G slicing may alleviate this somewhat."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.