Vulnerable routers (2 global brands) and compromised monitor screens and fleet tracking systems were used extensively by hackers as part of large botnets to share and deploy rootkits across the globe in March. This resulted in a significant spike in botnet traffic recorded by our global honeypots in March. Though the spike has subsided a bit, the rise in infections caused by this sudden surge will only become apparent in the next few weeks. This trend presents a new reason for concern among IoT cybersecurity teams.
Most of the attacks were logged at 2.5 MBPS and above and the requests ranged from 1.5- 3 million requests per second on certain target websites. Based on the traffic patterns, over 150 command and control servers located across 15 countries were identified by Sectrio’s threat research team. These servers were coordinating not just the spread of the attacks but the propagation of a variety of rootkits and other payloads including Revil ransomware.
The sudden botnet expansion could also be attributed to the use of older versions of certain operating systems in phones and other desktop and laptop machines. With such an expansion, hackers now have more bots at their disposal as well as a means to upgrade their botnet infrastructure by promoting more bots to command and control servers. The scope for many of these Bot networks to grow exponentially in the next weeks has increased with the rising number of bots getting added each week.
Traffic from these botnets was not confined to any geography and each bot was sending traffic to multiple IP addresses across regions. Analysis of this traffic reveals a well-orchestrated strategy being deployed by hackers to target IoT projects at various levels and phases as well as to expand botnets by targeting consumer devices. The level of stealth and obfuscation is growing as hackers devise new means to bring down multiple target entities through the same botnet. Many of the old botnets are also being resurrected for this purpose as hackers are planning to increase their operations across geographies.
For IoT projects, this is bad news as the lessons from 2020 and 2021 as articulated in our IoT and OT Threat Landscape reports seem to have been forgotten or ignored. While a portion of these new IoT-linked botnets may be connected to projects that are in the PoC phase, a larger volume of the traffic seems to be emerging from established projects as per the traffic patterns analyzed by Sectrio’s threat research team. This is quite a worrying development as it indicates the possibility of existing IoT devices being compromised or new and untested devices being added to existing projects without security-linked adequate testing.
How will this impact IoT security?
Coming in wake of the crisis in Ukraine and a period of excess activity within institutional and government-run SOCs, there is a possibility that many such attacks will turn into targeted attacks on specific projects and infrastructure (which could be the ultimate objective for these hackers). The reactivation of Sandworm hackers and the appearance of new and more stealthy rootkits in the wild are two separate trends that will converge over the next few weeks as these botnets expand their range and targets.
Overall, this underscores the need to enhance IoT security and invest in the right set of cyber threat intelligence feeds. With vulnerability management, patching, and devise testing receiving little or no attention, the time is ripe to diversify IoT cybersecurity measures to cover more ground and deepen the digital moat surrounding your infrastructure.
While systems that are based on older OS hosts can be upgraded to minimize the number of botnets, what is also needed is action from IoT project operators who need to do some serious rethinking of their cybersecurity priorities. With the average ransom demand jumping by leaps and bounds each year, hackers are raking in profits and expanding their operations and targets.
How can you improve IoT security?
- Always go by the ‘security-by design principle. Remember, the earlier you think of IoT security, the better are your chances of deterring hackers and bad actors
- Approval of IoT projects should also have a security component. That means that unless every stakeholder including IoT cybersecurity analysts are not convinced by the security measures, the project simply doesn’t get off the design board
- Cyber discipline and hygiene should be treated as aspects that are beyond compromises and placed above deadlines as a project imperative
- Go for IoT threat intelligence feeds
- Know what exactly is happening in your network at all times, do periodic security audits and checks
- From a security perspective, there shouldn’t be any difference between a PoC project and a fully operational one. This step alone could improve IoT security by a big margin
Interested in learning the 7-step approach to improving IoT security in 7 days? Talk to our IoT cybersecurity experts today. Book your slot now.
Download and use our compliance kits to improve your institutional security posture: visit Compliance Kits
Try our threat intelligence feeds for free for the next two weeks.