By Anthony Giandomenico, Senior Security Strategist and Researcher, FortiGuard
Malware is becoming increasingly destructive. Below is a short history of this trend, along with steps organizations can take to combat it.
We begin with Mirai that, in the summer of 2016, was responsible for the largest DDoS attack in history. It was built using millions of vulnerable IoT devices and then used to bring down a large chunk of the internet. This began a new ransomware trend where, rather than having to break in and encrypt devices without being detected, which could take weeks to accomplish, automated botnets comprised of hijacked IoT devices executed DDoS-based ransom attacks. Swarms of independent yet centrally controlled devices with no designated user, and often with no OS to patch or update, were especially difficult to combat.
However, the security research community predicted that Mirai was not an end in itself but was primarily launched to test the capabilities of swarms of compromised IoT-based devices. This proved to be right.
Mirai’s successor was the Hajime ransomworm. While Mirai was basically a blunt force instrument, Hajime included an impressive set of sophisticated cybertools. It was cross-platform, supported five different platforms, and included a toolkit filled with automated tasks, remotely updatable password lists and the ability to download other malicious code, such as brickerbot.
Designed to stop IoT devices from connecting to the internet, Brickerbot was the first in a new generation of destructive malware. Its goal was to deliver a killing blow to a network rather than simply disrupting it for financial gain. Hajime, as well, was able to identify CPE devices and protocols and then remove the rules that allow a CPE device to talk to its service provider. The potential risk to service providers was millions of devices all going dark simultaneously, with no heartbeat to see, control or manage them.
Then there is Hide ‘N Seek (HNS), an IoT botnet that communicates in a complex and decentralized manner—using custom-built, peer-to-peer communication—to implement a variety of malicious routines. While it initially targeted routers, IP cameras and DVRs, HNS now also targets cross-platform database solutions and smart home devices.
HNS was able to evolve this way largely due to the open source Mirai code that is available to malware developers. Getting its inspiration from as well as copying some code from Mirai, HNS has created a new identity for itself.
The Evolution Continues
Reaper changed the binary nature of most malware. While it was built using some of Mirai’s original code, it had also been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors. More concerning, it was also built using an embedded programming language that enabled it to be remotely updated to enhance attack options as needed rather than having all attacks pre-loaded into the malware.
Another recent innovation was found in the VPNFilter malware. VPNFilter includes a kill command that disables a device by deleting all file systems and then rebooting the device, rendering it completely inoperable. Affected devices actually have to be replaced. Even worse, its self-destruct mode can be triggered across all infected devices simultaneously with a single command. To date, over a million devices have been compromised by this malware. Triggering this sort of self-destruct mechanism could potentially result in widespread internet outage or networks collapsing.
It is extremely difficult to defend against a swarm of compromised IoT devices that not only can learn and adapt but are also programmed to ultimately destroy the devices they infect. And marshaling them together to engage in massive attacks would almost certainly bring a considerable segment of the digital economy to a grinding halt.
Thankfully, organizations are not without recourse. Here are five things you can do right now to prepare to defend your organization.
- Add this botnet trend into your current risk/consequence analysis strategy. Your IT team needs to understand their options, such as off-site storage of system backups, having redundant systems in place and being able to lock down segments of the network when an attack is detected.
- Identify all critical assets and services across your network and increase efforts to identify and patch vulnerable systems, replace older systems that are no longer supported or enhance compensating security tools. This probably means implementing some sort of asset tracking and management solution.
- Use network segmentation so that IoT devices are automatically separated from your production network until they can be secured. Device authentication must happen at IoT access points. Which means that your wireless access points need to handle far more simultaneous connections than they are currently designed to manage, and at the same time they need to be able to identify and authenticate devices, manage access, inspect traffic and then route IoT traffic into secure network segments—all at wire speed. Even so, you must be carefully monitoring traffic that passes between network segments, looking for anomalous behaviors, malware and sophisticated multi-vector attacks.
- You can no longer afford to hand-correlate threat data to detect threats or respond at anything less than machine speeds. Real-time threat intelligence is critical for identifying and stopping an attack.
- Remember: deep inspection of unstructured data, like the raw data flowing from many IoT devices, consumes 50 to 100 times more processing power than conventional traffic. It’s likely that many of your legacy security devices are not up to the job.
A Comprehensive Defense
The current evolutionary process will soon bring malware designed with adaptive, success-based learning to improve the efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and then make calculated decisions about what to do next. As cyberwarfar escalates, organizations will need to fight automation with automation and deploy integrated expert security systems that can automatically collect, correlate, share and respond to threats in a coordinated fashion. The steps listed above will help you detect and defeat sophisticated malware botnets and keep your business and reputation intact.
About the author:Anthony Giandomenico is an experienced Information Security Executive, Evangelist, Entrepreneur and Mentor with over 20 years of experience.