It was a bright cold day in May, and the clocks were striking thirteen. The day seemed like a regular day at our Nixu Cyber Defense Center, but little did we know. Soon our cyber defense experts sensed that a storm was rising. A significant amount of different customer devices, including CCTV cameras and routers had joined a large scale malicious botnet, but had remained silent until now, waiting grimly for further instructions.
The botnet owner had received so far only one packet from these devices on weekly basis informing him that his bots were healthy and ready for action until that bright and cold day in May when the botnet suddenly rose up and started an attack against a router model that had known vulnerabilities. Based on the attack technique, our Nixu team concluded that the intention was to infect the routers with a botnet malware, aiming at expanding the botnet size.
We started the cleaning efforts immediately with our customers. The first step was to recognize all the infected devices but the task was challenging due to the fact that there was no documentation available of the IoT devices. Some of the devices had to be identified relying on the MAC addresses and the header information provided by the devices.
One clever trick used by the attacker was the use of unidirectional UDP traffic in the attack. The stage 1 payload was constructed so that the attacking source system never got any reply from the destination system. In case the destination was vulnerable and the exploit was successful, the payload simply instructed the system to call home to the command and control servers controlled by the attacker and download the final payload from there. This would have allowed the attack to traverse networks that are normally separated by traffic control or even diodes among other things. The final payload used in the attack was a variant of a Remaiten malware which is developed for targeting IoT devices.
Forensics investigations were started also and they resulted in multiple previously unknown indicators of compromise (IoC). This information was then utilized to develop advanced detection methods that were quickly populated across the customer base, which helped us to detect another bot group in another customer’s environment which had stayed silent during this attack. In addition, our Nixu team was able to spot two publicly unknown servers that were used by the Botnet master to command as well as control compromised systems (C&C servers). We were happy to share all the gathered threat intel with the relevant community.
Cybersecurity threats are complicated to deal with and especially in the IoT environment, but there is a lot one can do to be prepared. You can start by investigating if your CCTV cameras and other IoT products are part of the same network as your ICT devices and if so, make sure that they are documented in your asset database as well as patched for known vulnerabilities periodically. Also make sure you Include IoT specific threat intel feeds to your intelligence supply and once new threat actors or attack techniques are published, execute a thorough investigation including manual analysis and real-time investigation of the data that flows between your systems and assets in order to ensure your environment is not affected nor compromised. It is utmost important to react to the anomalies with highest precision and professionalism, which is the keys to success, when detecting advanced and targeted attacks.
In order to be successful, make sure that your IoT strategy:
- protects your IoT systems and products at least on the same level as your most critical assets
- applies security by design in your IoT product development in order to avoid and block incoming IoT related attacks (they are already here)
- takes into account the development; organization’s own capability or a partner that constantly develops its processes and measures to detect and respond to advanced and targeted attacks that cannot be found automatically
We at Nixu would be happy to help you accomplish all the above security matters by offering our leading cyber security experts and the latest technology.