It’s been about one year since Mirai infected IoT devices across the globe, conscripting them into a sizeable botnet with amazing firepower. The botnet was blamed for launching a 620 Gbps DDoS attack against security researcher Brian Reaper.jpegKrebs’ website, and it was also blamed for launching the largest DDoS attack on record against OVH. Mirai also interrupted Internet availability for 900,000 Deutsche Telecom subscribers and compromised almost 2,400 TalkTalk routers in the UK in late 2016. In the aftermath of the attacks, researchers discovered that over 150,000 malicious IoT devices had been involved, creating a DDoS attack strength of over 1.2Tbps; making it the largest and most powerful cyber-attack of its kind in history.
But Mirai was only the beginning.
Researchers with security firms Check Point and Qihoo 360 Netlab have been monitoring a new botnet for the past two months. Dubbed IoT_Reaper, they estimate its current size to be a staggering two million infected devices made up mostly of IP-based security cameras, network video recorders, digital video recorders, and routers from companies such as GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology. Based on their observations, the botnet is continuing to grow and has infected devices worldwide.
Not only is Reaper much larger in scale than Mirai, it’s more advanced as well. Rather than using weak or default credentials to access open Telnet ports, Reaper exploits numerous vulnerabilities in different IoT devices to forcibly take over unpatched devices, and add them to its command and control infrastructure. Exploits are continuously added, and the infrastructure is expanding to accommodate new bots. Researchers also believe Reaper is able to “evolve” by adding new exploits and spreading the malware to devices as they come online, which is how it’s been able to grow so quickly.
Performing a simple math exercise, the botnet that took OVH offline with a 1+ Tbps DDoS attack appeared to made up of about 150,000 IoT cameras. This means that each infected IoT device was capable of generating about 7 Mbps of DDoS attack traffic on average. If the IoT_Reaper botnet is made up of over 2 million IoT devices, and if each device is capable of generating 7 Mbps of DDoS attack traffic, that means the botnet may be capable of generating upwards of 14 Tbps of attack traffic. That’s enough DDoS traffic to take a smaller country offline in some cases.
Reaper has yet to be leveraged to execute any attacks, and the intentions are unclear, but one thing is for sure: it’s not sitting there for nothing. Attacks of previously unseen magnitude are perched on the horizon, lying in wait to wreak havoc on a scale we haven’t seen before. Perhaps this time next year we’ll be preparing in advance of a 5 million device botnet. With the IoT market growing, there is seemingly no limit to how far this can go.
What can organizations do to prepare for Reaper and ensure they are not part of the problem?
- Make sure you have DDoS defenses in place BEFORE an attack occurs.
- Ensure that your cloud-based DDoS solution provider has enough bandwidth to thwart a massive attack.
- Ensure that no vulnerable IoT devices are connected to the Internet, that you’re responsible for.
- Run a vulnerability scan against all of your IoT devices; ideally with a third-party using the latest techniques so nothing is missed.
- Patch your vulnerable IoT systems and keep checking for any new patches from IoT manufacturers.
- Scan again to make sure nothing was missed.