New research from Kaspersky Lab reveals how cybercriminals are targeting IoT devices.
During the first half of 2018, malware designed specifically for Internet of Things (IoT) devices grew three-fold with over 120,000 modifications of malware according to new research from Kaspersky Lab.

The security firm’s IoT report revealed that the growth of malware families for smart devices is snowballing and part of a dangerous trend that could leave consumer devices vulnerable to illegal activity including cryptocurrency mining, DDoS attacks or being used in large scale attacks by becoming part of a botnet.

Kaspersky Lab is well aware of these threats and the company has set up its own decoy devices called honeypots to lure cybercriminals and analyse their activities online.

According to the statistics, the most popular method of spreading IoT malware is still brute forcing passwords where hackers repetitively try various password combinations before eventually gaining access to a device. Brute forcing was used in 93 per cent of attacks while well-known exploits were used in the remaining cases.

Kaspersky Lab’s honeypots were attacked most often by routers with 60 per cent of attacks coming from them. The remaining attacks were carried out by a variety of devices including DVRs and printers. Surprisingly, 33 attacks were carried out by connected washing machines.

Why target IoT devices

Cybercriminals may have different reasons for exploiting IoT devices but the most popular reason was to create botnets which would be used to facilitate DDoS attacks. Some of the malware modifications discovered by Kaspersky Lab were even tailored to disable competing malware.

Principal Security Researcher at Kaspersky Lab, David Emm provided further insight on the firm’s report, saying:

“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cybercriminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes – and that security is implemented at the design stage, rather than considered as an afterthought.

“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customised and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones. IoT products have therefore become an easy target for cybercriminals, who can turn simple machines into powerful devices for illegal activity, such as spying, stealing, blackmailing and conducting Distributed Denial of Service (DDoS) attacks.”


This comes after more than 18 months of already helping the FBI stop cyberattacks

Three young hackers went from believing they were “untouchable” to helping the FBI stop future cyberattacks.

The trio of hackers behind the Mirai botnet — one of the most powerful tools used for cyberattacks — has been working with the FBI for more than a year, according to court documents filed last week.

Now the government is recommending they be sentenced to continue assisting the FBI, instead of a maximum five years in prison and a $250,000 fine.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods,” US attorneys said in a motion filed Sept. 11. “The information provided by the defendants has been used by members of the cybersecurity community to safeguard US systems and the Internet as a whole.”
Originally, a probation officer on the case recommended that all three defendants be sentenced to five years’ probation and 200 hours of community service.

Because of the hackers’ help, prosecutors have asked that the community service requirement be bumped up to 2,500 hours, which would include “continued work with the FBI on cybercrime and cybersecurity matters.”

The three defendants are set to be sentenced by a federal judge in Alaska. The sentencing plea Tuesday was earlier reported by Wired.

Hacker rehab

Governments have taken a new approach with young, first-offender hackers, in the hopes of rehabilitating them and recruiting them to help defend against future attacks. The UK offers an alternative called the “cybercrime intervention workshop,” essentially a boot camp for young hackers who have technical talent but poor judgment.

The three defendants — Josiah White, Paras Jha and Dalton Norman — were between the ages of 18 and 20 when they created Mirai, originally to take down rival Minecraft servers with distributed denial-of-service attacks.

DDoS attacks send massive amounts of traffic to websites that can’t handle the load, with the intention of shutting them down. Mirai took over hundreds of thousands of computers and connected devices like security cameras and DVRs, and directed them for cyberattacks and traffic scams.

In one conversation, Jha told White that he was “an untouchable hacker god” while talking about Mirai, according to court documents.

The botnet was capable of carrying out some of the largest DDoS attacks ever recorded, including one in 2016 that caused web outages across the internet. The three defendants weren’t behind the massive outage, but instead were selling access to Mirai and making thousands of dollars, according to court documents.

Helping the FBI

The three hackers pleaded guilty in December, but had been helping the government with cybersecurity for 18 months, even before they were charged. Prosecutors estimated they’ve worked more than 1,000 hours with the FBI — about 25 weeks in a typical workplace.

That includes working with FBI agents in Anchorage, Alaska, to find botnets and free hacker-controlled computers, and building tools for the FBI like a cryptocurrency analysis program.

In March, the three hackers helped stop the Memcached DDoS attack, a tool that was capable of blasting servers with over a terabyte of traffic to shut them down.

“The impact on the stability and resiliency of the broader Internet could have been profound,” US attorneys said in a court document. “Due to the rapid work of the defendants, the size and frequency of Memcache DDoS attacks were quickly reduced such that within a matter of weeks, attacks utilizing Memcache were functionally useless.”

According to US officials, the three hackers also last year helped significantly reduce the number of DDoS attacks during Christmas, when activity usually spikes. Along with helping the FBI, the three defendants have also worked with cybersecurity companies to identify nation-state hackers and assisted on international investigations.

Jha now works for a cybersecurity company in California while also attending school. Dalton has been continuing his work with FBI agents while attending school at the University of New Orleans, and White is working at his family’s business.

Prosecutors heavily factored their “immaturity” and “technological sophistication” as part of the decision.

“All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity,” the court documents said.


In October 2016, the Mirai botnet took down domain name system provider Dyn, waking much of the world up to the fact that Internet of Things devices could be weaponized in a massive distributed denial of service (DDoS) attack. Although DDoS attacks have been around since the early days of the modern internet, IT communities around the globe came to realize that IoT devices could be leveraged in botnet attacks to go after all kinds of targets.

In the case of Dyn, the cyberattack took huge chunks of the web offline, since Dyn served as a hub and routing service for internet traffic. The attack temporarily shut off access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, reddit, Etsy, SoundCloud and other sites.

The rising prominence of botnets in DDoS attacks also prompted the federal government to take a stronger interest. President Donald Trump’s May 2017 executive order on cybersecurity directed the secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders” that would improve the resilience of the internet and encourage collaboration around the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

In late May, the departments of Commerce and Homeland Security issued a final report on the topic, which included numerous recommendations for agencies to take to mitigate DDoS attacks and botnet threats.

The government, the report says, “should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization.”

Among numerous other measures, the report says that agencies should put in place basic DDoS prevention and mitigation measures for all federal networks, and ensure they are not used to amplify DDoS attacks.

Before federal IT leaders and professionals put mitigation and prevention measures in place, it’s worth taking time to understand the nature of the threat. Here is a primer on DDOs attacks, botnets, the damage they can do and how agencies can guard against them.

What Is a DDoS Attack?

A DDoS attack is a cyberattack in which multiple compromised systems attack a given target, such as a server or website, to deny users access to that target.

Attackers often use compromised devices — desktops, laptops, smartphones or IoT devices — to command them to generate traffic to a website in order to disable it, in ways that the user does not even detect.

“The smart cybercriminal imposes limits on the malware code to avoid detection by not utilizing too much of the user’s bandwidth or system resources,” Carl Danowski, a CDW service delivery architect in managed services, writes in a blog post. “The user would have to know where to look to detect this, and probably won’t be motivated to as long as the software doesn’t cause any problems for them. The attack does not use just a single system but millions of such compromised systems, nearly simultaneously.”

The malware then visits or sends special network packets (OSI Layer 7 and Layer 3, respectively) to the website or DNS provider. The attack then generates what looks like, to most cybersecurity tools, normal traffic or unsuccessful connection attempts.

“However, the website soon becomes unavailable as some part of the infrastructure can no longer handle the sheer number of simultaneous requests,” Danowski notes. “It could be the router, the firewall, the web servers, the database servers behind the web servers — any number of points can become overwhelmed, leading to the unavailability of the service they are providing. As a result, legitimate users of the website are denied service.”

As the DHS/Commerce report notes, DDoS attacks have been a concern since the early days of the internet and were a regular occurrence by the early 2000s. They can “overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware.”

What Is a Botnet Attack?

Botnet attacks are related to DDoS attacks. Not all botnets are malicious; a botnet is a simply a group of connected computers working together to execute repetitive tasks, and can keep websites up and running. However, malicious botnets use malware to take control of internet-connected devices and then use them as a group to attack.

“More often than not, what botnets are looking to do is to add your computer to their web,” a blog post from anti-virus firm Norton notes. “That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.”

Malicious botnets are often used to amplify DDoS attacks, as well as sending out spam, generating traffic for financial gain and scamming victims.

The rise of the IoT makes botnets more dangerous and potentially virulent. The IoT means there are simply many more (usually unsecured) connected devices for attackers to target. As a result, the DHS/Commerce report notes, “DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.”

Further, the report adds, traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.”

Botnet Detection and Removal Tools

Botnet detection can be difficult, since infected bots are designed to operate without users knowing about them. A blog post from CA Technologies suggests several symptoms of botnet infection that administrators should look for. These Include:

  • Internet Relay Chat traffic (botnets and bot masters use IRC for communications)
  • Connection attempts with known command-and-control servers
  • Multiple machines on a network making identical DNS requests
  • High outgoing Simple Message Transfer Protocol traffic (as a result of sending spam)
  • Unexpected pop-ups (as a result of clickfraud activity)
  • Slow computing/high CPU usage spikes in traffic, especially on Port 6667 (used for IRC), Port 25 (used in email spamming) and Port 1080 (used by proxy servers)
  • Outbound messages (email, social media, instant messages, etc.) that weren’t sent by the user

Some tools, such as CDW’s Threat Check tool, perform passive inspection of all inbound and outbound network traffic and look for evidence of malicious activity. “It will not block any traffic but simply monitor and report on what it sees. This includes connections to botnets, connections to command and control servers, remote access tools, visits to sites hosting malicious code, or any other evidence of an infection,” Aaron Colwell, manager of strategic software sales for the analytics practice at CDW, writes on CDW’s solutions blog.

“Botnet detection is useless without having botnet removal capabilities,” the CA blog notes. “Once a bot has been detected on a computer, it should be removed as quickly as possible using security software with botnet removal functionality.”

Microsoft offers tools to remove malicious software, as do many other security software companies.

A Brief History of DDoS Attacks: Reaper, Zeus and Mirai Botnets

In recent years, there have been several high-profile botnet attacks that have rocketed around the internet, causing varying levels of devastation to IT environments.

According to CSO Online, the Mirai botnet was actually created by Paras Jha, then an undergraduate at Rutgers University, who became interested in how DDoS attacks could be used for profit, especially by using DDoS attacks to disable rival servers that might be used to host the online game Minecraft.

The major Mirai botnet attack took down the security blog KrebsOnSecurity in September 2016, and its source code was published online a few weeks later. Then came the major attack on Dyn. “The FBI believes that this attack was ultimately targeting Microsoft game servers,” which can be hosted and used to generate money from Minecraft players, CSO reports. The attack spread to vulnerable devices “by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords,” Krebs reports.

Although Mirai is still causing problems across the web, the Justice Department in December 2017 secured guilty pleas from Jha and Josiah White for their roles in developing and using Mirai.

Another recent botnet that made waves is Reaper, which is built on parts of Mirai’s code. However, as Wired details, it is different in dangerous ways. “Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further,” the publication reports, meaning that it could “become even larger — and more dangerous — than Mirai ever was.” The botnet surfaced in January when it was used to target financial services firms in the Netherlands, Security Week reports.

In 2014, the GameOver Zeus botnet rose to prominence, and was “responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world,” according to the FBI.

“GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects,” the FBI noted. “It’s predominantly spread through spam e-mail or phishing messages.”

In February 2015, the FBI announced a $3 million bounty for information leading to the arrest and conviction of Evgeniy Mikhailovich Bogachev, a Russian national the government believes is responsible for building and distributing the Zeus banking Trojan.

How Feds Can Respond to the Botnet Threat

The DHS/Commerce report offers agencies guidance on how they can combat DDoS and botnet attacks.

First, the report says that stakeholders and subject matter experts, in consultation with the National Institute of Standards and Technology, should lead the development of a Framework for Improving Critical Infrastructure Cybersecurity Profile for enterprise DDoS prevention and mitigation.

“The profile would help enterprises identify opportunities to improve DDoS threat mitigation and aid in cybersecurity prioritization by comparing their current state with the desired target state,” the report says. “The profile would likely include multiple levels to support industry sectors with different resilience requirements.”

After that is created, the report says agencies “should implement basic DDoS prevention and mitigation measures for all federal networks to enhance the resilience of the ecosystem and demonstrate the practicality and efficacy of the profile.”

In the past, the report notes, “hackers have leveraged federal networks in DDoS attacks using open resolvers and other agency resources to amplify their attacks.” DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. As TechTarget notes, DNS resolvers are “servers that client systems use to resolve domain names.”

The report says that “poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks.” Many network vendors, including Cisco Systems, offer agencies and other organizations best practices for guarding against DNS attacks.

“The federal government should lead by example, ensuring that federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate, and respond as necessary,” the DHS/Commerce report states.

The administration should mandate implementation of the federal cybersecurity framework profile for DDoS prevention and mitigation by all government agencies within a fixed period after completion and publication of the profile, the report advises.

“The federal government should evaluate and implement effective ways to incentivize the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through attestation or certification requirements,” the report adds.

To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software that is developed using such processes, when available,” and “should also ensure that government-funded software development projects use the best available tools to obtain insight into the impact of these regulations.”


Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.


DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.