Internet of Insecure Things

Uploaded on 2016-10-28 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The Internet of insecure things just keeps getting murkier and more problematic. Researchers have determined that hackers are abusing a 12-year-old vulnerability in OpenSSH to attack the ‘Internet of un-patchable things’.

Since anyone can now download the Mirai source code – it’s is even on GitHub – then players across the field, both botnet dabblers and researchers, are playing around with the malware that hijacks IoT devices and is responsible for the largest DDoS attack on record.

In fact, researchers at Incapusla are already reporting new attacks that seem to be “experimental first steps of new Mirai users who were testing the water after the malware became widely available. Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future.”

Is the sky really falling? Well, if the underground market treats Mirai malware like it has other malicious source code which has been leaked, then welcome to an IoT DDoSing nightmare. Researchers at F5 said to expect thugs “to adapt, combine, and improve the code, resulting in newer and enhanced variants.” F5 warned, “We can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”

IoT devices being used in mass-scale SSHowDowN Proxy attacks

Add to that an OpenSSH vulnerability which has been around for 12 years and the fact that attackers are exploiting the flaw to create huge amounts of traffic for SSHowDowN Proxy attacks launched against e-commerce and other sites.

Researchers at Akamai Technologies disclosed that new targeted attacks, which use a very old flaw, are originating from IoT devices such as: DVR, NVR and CCTV video surveillance devices, satellite antenna equipment, networking devices such as routers, hotspots, WiMax, cable and ADSL modems, and Network Attached Storage (NAS) devices connected to the internet. Other devices hooked online may also be susceptible.

The IoT devices are being used to mount attacks “against a multitude of internet targets and internet-facing services, such as HTTP, SMTP and network scanning,” as well as to mount attacks against internal networks that host the devices.

In many cases, there are default login settings such as “admin” and “admin” or other lax credentials to get to the web management console. Once attackers access the web admin console, they can compromise the device’s data and sometimes even take complete control of the machine.

The attack itself is not new, but Akamai Technologies has seen a surge in SSHowDowN Proxy attacks in which IoT devices are being “actively exploited in mass scale attack campaigns.”

A new report on exploiting IoT and SSHowDowN  explains that the root causes for the vulnerability include weak factory-default administration credentials, the fact that the devices allow remote SSH connections and the devices allow TCP forwarding.

Default passwords

Default passwords have long plagued the security industry and put users at great risk. Since the Mirai source code was made public, many sites have published the 61 passwords powering the Mirai botnet which is capable of hijacking over 500,000 vulnerable IoT devices.

Double that number by adding in devices with shoddy-to-no-security which are made by the Chinese firm XiongMai Technologies. Flashpoint researchers said there are over 500,000 devices on public IPs that are vulnerable to the username and password combination “root” and “xc3511.”

130,000 vulnerable Avtech systems

Search Lab’s Gergely Eberhardt found 14 vulnerabilities in Avtech devices like DVRs and IP cameras; there are 130,000 Avtech devices exposed on the internet and “Avtech is the second most popular search term in Shodan.”

Eberhardt found the vulnerabilities and first attempted to contact the company back in September 2015. After more than a year and zero response from Avtech, Eberhardt published an advisory and proof-of-concept scripts for the flaws.

If you don’t want your Avtech device to end up as part of an IoT botnet, then owners should change the default admin password and go the extra safe mile of never exposing “the web interface of any Avtech device to the internet.”

You should always change the default passwords to anything, but some manufacturers didn’t have enough concern for users to build in that option.

Internet of un-patchable things

“We're entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Un-patchable Things' so to speak,” explained Ory Segal, senior director of Threat Research at Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Computerworld:        Internet of Things will drive the Digital Revolution of Industry:

 

« Smartphone “Video Jacking” From Power Sockets
DDoS: Deceptive Denial Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

Networkers

Networkers

Networkers is a global recruitment consultancy helping unite job-seekers and hiring companies across the technology industry.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

Clearswift

Clearswift

Clearswift is trusted by businesses, governments and defense organizations globally for its Adaptive Cyber Security and Data Loss Prevention solutions.

Infortec

Infortec

Infortec provide consultancy and solutions for the protection of digital information and the management of computer resources.

certSIGN

certSIGN

certSIGN develop innovative software for information security and information systems protection.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

neoEYED

neoEYED

neoEYED helps banks and fintech to detect and prevent frauds using a Behavioral AI that recognizes the users just by looking at “how” they interact with the applications.

ToucanX

ToucanX

ToucanX has eliminated remote attack vectors without sacrificing productivity. We’ve brought embedded near real time virtualization to the enterprise endpoint.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Quantexa

Quantexa

Quantexa automates millions of operational decisions, at scale, across multiple business units, including Anti-Money Laundering, Know-Your-Customer, Fraud, Credit Risk and Customer Intelligence.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

FPG Technologies & Solutions

FPG Technologies & Solutions

FPG Technology is a technology solutions provider and systems integrator, specializing in delivering IT Consulting, IT Security, Cloud, Mobility, Infrastructure solutions and services.

Vaultinum

Vaultinum

Vaultinum are a trusted independent third party specialized in the protection and audit of digital assets.

IGI Cybersecurity

IGI Cybersecurity

IGI Cybersecurity delivers people-driven cybersecurity for personalized, resilient cyber defense focused on individualized strategy and unshakeable partnership.