Thought leadership. threat analysis, news and alerts.
Reaper IoT Botnet Threatens to Take Down Websites
Reaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites.
According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said.
Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million.
IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.”
Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect.
The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure.
Reaper Botnet versus Mira Botnet
While the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors.
Here are some of the differences between Reaper and Mirai:
1. Number of Affected IoT Devices
The first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices.
2. Means of Infecting IoT Devices
Mirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices.
On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities.
According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability.
3. Botnet Capabilities
Mirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites.
"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said.
The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack.
Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches).
"As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks."
How to Block Reaper IoT Botnet
In most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks.
Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet:
1. Timely Apply Security Updates of IoT Software
Always apply in a timely manner all security updates issued by your IoT manufacturer.
2. Use Strong Password
While the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware.
3. Isolate IoT devices on their own protected networks.
4. Block traffic from unauthorized IP addresses by configuring network firewalls.
5. Turn off IoT devices when not in use.
6. When buying an IoT device, look for manufacturers that offer software updates.
Steve E. Driz, I.S.P., ITCP