Thought leadership. threat analysis, news and alerts.
Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows
Researchers at IBM recently reported that 90% of traffic to and from all internet of things (IoT) devices comes from the botnet called “Mozi”.
What Is a Botnet?
A botnet, also known as “zombie army”, is a group of hijacked computers, including IoT devices. These hijacked computers are each infected with malicious software (malware) for the purpose of controlling these computers from a remote location without the knowledge of the owners of the hijacked computers.
Threat actors have used these hijacked computers for malicious activities such as distributed denial-of-service (DDoS) attacks. In a DDoS attack, the traffic from hijacked computers are directed towards a target, for instance, a website, overwhelming the target with traffic, rendering it inaccessible to legitimate users. A malicious actor, for example, sent a DDoS ransom note, taunting a target that their "Botnet army" is ready to take down the target's website and that the target has 48 hours to pay the ransom.
What Is Mozi Botnet?
Researchers at 360 Netlab first reported about the Mozi botnet. According to the researchers, they first observed Mozi in the wild in September 2019.
In the recent report released by researchers at IBM, the researchers said that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 to June 2020. They added that the overall combined IoT attack instances from October 2019 to June 2020 increased by 400% compared to the combined IoT attack instances for the previous two years.
This massive traffic from Mozi, the researchers at IBM suggested, that this botnet didn’t remove competitors from the market, but rather flooded the market and dwarfing other botnets. The hijacking of IoT devices to form part of the Mozi botnet, the researchers said, could be due in part to the ever-expanding IoT landscape.
According to IBM researchers, there are nearly 31 billion IoT devices deployed around the world, with IoT deployment rate now stands at 127 devices per second. IoT devices include consumer IoT (security cameras and lighting control); commercial IoT (internet-connected pacemakers and vehicle trackers); enterprise IoT (projectors, routers and security systems); industrial IoT (production line automation systems and aircraft systems); infrastructure IoT (traffic control devices and utility monitoring devices), Internet of Military Things (wearable combat biometrics devices, robots and surveillance equipment).
Researchers from 360 Netlab and IBM reported that Mozi is capable of conducting these malicious activities: conduct DDoS attack (HTTP, TCP, UDP), carry out command execution attack, download malicious payload from specified URL and execute it, and gather bot information. Devices affected by Mozi include Netgear, D-Link and Huawei routers.
How Mozi Hijacks IoT Devices to Form Part of Its Botnet?
According to IBM researchers, nearly all of the initial entry to these Mozi-hijacked devices was done through command injection (CMDi) attacks.
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application,” Open Web Application Security Project (OWASP) defines CMDi. “Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.”
Researchers at IBM said CMDi attacks are extremely popular against IoT devices for the following reasons:
First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited.
Second, PHP modules that are built into IoT web interfaces can be exploited, giving threat actors remote execution capability.
Third, IoT interfaces are often left vulnerable when deployed as administrators “fail to harden the interfaces by sanitizing expected remote input”. This failure, the researchers said, allows threat actors to input shell commands.
Fourth, new vulnerabilities require constant updating and slow patch implementation can be exploited.
Fifth, CMDi attacks can easily be automated, allowing threat actors to hijack a large number of IoT devices quickly at low cost.
Sixth, IBM researchers suggested that Mozi continues to be successful largely through the use of CMDi attacks as corporate networks are being accessed remotely more often due to COVID-19.
Israel-based cybersecurity firm JSOF earlier reported that vulnerabilities in Treck TCP/IP stack put hundreds of millions of IoT and embedded devices at risk. Developed 20 years ago, Treck TCP/IP stack is a piece of software that serves as a basic building block for IoT or embedded device that works over a network.
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities. In remote code execution, a threat actor from any geographical location could run malicious programs on the target device.
Cybersecurity Best Practices
Here are some cybersecurity best practices in preventing your organization’s IoT devices from being hijacked and made part of a botnet: keep all firmware up to date and retire devices that no longer receive security updates.
Using outdated IoT devices or those that no longer receive security updates leave these devices vulnerable to hijacking and being made part of a botnet for malicious activities such as DDoS attacks.
On the flip side, with the proliferation of hijacked IoT devices, it’s important to protect your organization from DDoS attacks.
Bugs in Treck TCP/IP Stack Put Hundreds of Millions of IoT and Embedded Devices At Risk
Nineteen vulnerabilities in a piece of software called “Treck TCP/IP Stack” have recently been discovered. This piece of software is present in hundreds of millions of IoT and embedded devices, putting these devices and connected devices at risk.
The 19 vulnerabilities in Treck TCP/IP stack is collective called “Ripple20”, giving emphasis on the word “ripple”, as the ripple effect of these vulnerabilities has grown exponentially due to the supply chain factor. Out of the 19 vulnerabilities discovered, 2 were disclosed anonymously and 17 were disclosed by Israel-based cybersecurity firm JSOF.
“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” JSOF said in the report "19 Zero-Day Vulnerabilities Amplified by the Supply Chain". “Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors.”
Tracing the Supply Chain
TCP/IP stack was developed 20 years ago by the firm called “Treck”. This piece of software serves as a basic networking element or a building block, useful in any context for any IoT or embedded device that works over a network.
According to JSOF, over the past two decades, Treck TCP/IP has been spreading around the world, through both direct and indirect use. JSOF reported that in the 1990s, Treck collaborated with a Japanese company named Elmic Systems. The two later went their separate ways, resulting in two separate branches of the TCP/IP stack devices, one managed by Treck and the other one managed by Elmic Systems. Other than ELMIC, the Treck TCP/IP stack is also known by other names such as Net+ OS, Quadnet, GHNET v2, and Kwiknet.
Printers, routers, infusion pumps in the medical sector, and industrial controls are some of the devices affected by these vulnerabilities. Affected device vendors as a result of the 19 vulnerabilities discovered in Treck TCP/IP include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter. JSOF estimates that the discovered 19 vulnerabilities affect hundreds of millions or more devices.
Security Vulnerabilities in Treck TCP/IP
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities with CVSS ≥ 9; 4 are major with a CVSS ≥ 7; and 11 more have various lower severity. CVSS, short for Common Vulnerability Scoring System, is the industry standard for assessing the severity of computer system security vulnerabilities, most critical of which is rated 10.
Security vulnerabilities designated as CVE-2020-11896, CVE-2020-11898, and CVE-2020-11901 are some of the notable out of the 19 vulnerabilities.
CVE-2020-11896 is a critical vulnerability in Treck TCP/IP stack. This vulnerability allows for remote code execution by any attacker that can send UDP packets to an open port on the target device. Remote code execution allows attackers from any geographical location to run programs on the target device.
CVE-2020-11898 is a security vulnerability in Treck TCP/IP stack that improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which allows remote attackers to trigger an information leak. JSOF researchers tested the CVE-2020-11896 and CVE-2020-11898 vulnerabilities on Digi Connect ME 9210 – a device that’s embeddable and is used in medical devices. Digi Connect can be purchased from any of the large electronic-parts resellers, amplifying these vulnerabilities as any device embedded also becomes vulnerable.
Among the 19 security vulnerabilities in Treck TCP/IP stack, the most severe is CVE-2020-11901, receiving a CVSS score of 9.1. This vulnerability is a collection of vulnerabilities for several critical client-side vulnerabilities in the DNS resolver of the Treck TCP/IP stack.
If successfully exploited, this vulnerability allows pre-authentication arbitrary remote code execution. This vulnerability is of particular interest because a sophisticated attacker, such as a nation state “can potentially reply to a DNS request from outside of the corporate network, thus breaking network segmentation,” researchers at JSOF said.
JSOF researchers tested the CVE-2020-11901 vulnerability on a Schneider Electric UPS device model APC Smart-UPS 750 (SMT750I/ID18/230V). UPS, short for Uninterruptible Power Supply, is a device designed for use in enterprise networks, data centers, and mission-critical systems. It’s used as an embedded battery to ensure that devices connected to it won’t suffer from power outages or fluctuations. Remotely exploiting UPS device can, therefore, have disastrous consequences.
Preventive and Mitigating Measures
Here some cybersecurity measures in preventing or mitigating the effects of the 19 vulnerabilities discovered in Treck TCP/IP stack:
Keep all Firmware and Software Up to Date
Some vendors of the products affected by the 19 vulnerabilities discovered in Treck TCP/IP stack, such as Aruba Networks, Digi International, HP, Intel, Teradici, Xerox have issued a corresponding patch or security update fixing the said vulnerabilities.
Retire Devices that No Longer Receive Security Updates
“The Treck stack has been around for more than 20 years,” JSOF researchers said. “Possibly the vulnerabilities too.”
Due to the length of time, some of the IoT and embedded devices affected by the vulnerabilities discovered in Treck TCP/IP stack may no longer receive security updates. Continuous use of vulnerable devices puts your organization’s network at risk of cyberattacks.
Devices which no longer receive security updates, and which have served their purpose for years should no longer be used. Luckily, some of these devices are inexpensive, as such, it’s much cheaper to replace them with the latest versions as opposed to using outdated devices which only put your organization’s network at risk.
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
Steve E. Driz, I.S.P., ITCP