Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows

Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows

Researchers at IBM recently reported that 90% of traffic to and from all internet of things (IoT) devices comes from the botnet called “Mozi”.

What Is a Botnet?

A botnet, also known as “zombie army”, is a group of hijacked computers, including IoT devices. These hijacked computers are each infected with malicious software (malware) for the purpose of controlling these computers from a remote location without the knowledge of the owners of the hijacked computers.

Threat actors have used these hijacked computers for malicious activities such as distributed denial-of-service (DDoS) attacks. In a DDoS attack, the traffic from hijacked computers are directed towards a target, for instance, a website, overwhelming the target with traffic, rendering it inaccessible to legitimate users. A malicious actor, for example, sent a DDoS ransom note, taunting a target that their "Botnet army" is ready to take down the target's website and that the target has 48 hours to pay the ransom.

What Is Mozi Botnet?

Researchers at 360 Netlab first reported about the Mozi botnet. According to the researchers, they first observed Mozi in the wild in September 2019.

In the recent report released by researchers at IBM, the researchers said that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 to June 2020. They added that the overall combined IoT attack instances from October 2019 to June 2020 increased by 400% compared to the combined IoT attack instances for the previous two years.

This massive traffic from Mozi, the researchers at IBM suggested, that this botnet didn’t remove competitors from the market, but rather flooded the market and dwarfing other botnets. The hijacking of IoT devices to form part of the Mozi botnet, the researchers said, could be due in part to the ever-expanding IoT landscape.

According to IBM researchers, there are nearly 31 billion IoT devices deployed around the world, with IoT deployment rate now stands at 127 devices per second. IoT devices include consumer IoT (security cameras and lighting control); commercial IoT (internet-connected pacemakers and vehicle trackers); enterprise IoT (projectors, routers and security systems); industrial IoT (production line automation systems and aircraft systems); infrastructure IoT (traffic control devices and utility monitoring devices), Internet of Military Things (wearable combat biometrics devices, robots and surveillance equipment).

Researchers from 360 Netlab and IBM reported that Mozi is capable of conducting these malicious activities: conduct DDoS attack (HTTP, TCP, UDP), carry out command execution attack, download malicious payload from specified URL and execute it, and gather bot information. Devices affected by Mozi include Netgear, D-Link and Huawei routers.

How Mozi Hijacks IoT Devices to Form Part of Its Botnet?

According to IBM researchers, nearly all of the initial entry to these Mozi-hijacked devices was done through command injection (CMDi) attacks.

“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application,” Open Web Application Security Project (OWASP) defines CMDi. “Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.”

Researchers at IBM said CMDi attacks are extremely popular against IoT devices for the following reasons:

First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited.

Second, PHP modules that are built into IoT web interfaces can be exploited, giving threat actors remote execution capability.

Third, IoT interfaces are often left vulnerable when deployed as administrators “fail to harden the interfaces by sanitizing expected remote input”. This failure, the researchers said, allows threat actors to input shell commands.

Fourth, new vulnerabilities require constant updating and slow patch implementation can be exploited.

Fifth, CMDi attacks can easily be automated, allowing threat actors to hijack a large number of IoT devices quickly at low cost.

Sixth, IBM researchers suggested that Mozi continues to be successful largely through the use of CMDi attacks as corporate networks are being accessed remotely more often due to COVID-19. 

Israel-based cybersecurity firm JSOF earlier reported that vulnerabilities in Treck TCP/IP stack put hundreds of millions of IoT and embedded devices at risk. Developed 20 years ago, Treck TCP/IP stack is a piece of software that serves as a basic building block for IoT or embedded device that works over a network.

Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities. In remote code execution, a threat actor from any geographical location could run malicious programs on the target device.

Cybersecurity Best Practices

Here are some cybersecurity best practices in preventing your organization’s IoT devices from being hijacked and made part of a botnet: keep all firmware up to date and retire devices that no longer receive security updates.

Using outdated IoT devices or those that no longer receive security updates leave these devices vulnerable to hijacking and being made part of a botnet for malicious activities such as DDoS attacks.

On the flip side, with the proliferation of hijacked IoT devices, it’s important to protect your organization from DDoS attacks.