blog / Aug 17, 2017

"Cry 'Havoc' and Let Loose the Thingbots of War!"

by Lori MacVittie

When William Shakespeare penned Julius Caesar, not even the great bard himself could have imagined how many phrases would fall into common use for so long that they would become cliché. Phrases like ‘Et tu, Brute?’ is as recognizable today as a euphemism for dismay at the betrayal by a friend as offering someone thirty pieces of silver for their treachery.

One of those phrases is, of course, “Cry ‘Havoc’, and let slip the dogs of war.” When it was imagined by Mark Antony coming from the spirit of the just-murdered Caesar, it was meant quite literally. Dogs of war really existed, and “let slip” meant to release their leashes. Over time, the phrase has come to be a rallying cry to action in which “dogs of war” are mercenaries.

Which makes it perfectly applicable to the current state of the Internet of Things (IoT) with respect to the rising threat of “thingbots” and how some are answering that threat.

When F5 Labs and Loryka started their Hunt for IoT, they did so with a focus on the attacks that come before The Attack. These are the attacks on vulnerable “things” (IoT devices) that then make them compromised things. Once compromised, (often through an open Telnet port) they are assimilated into the collective and become a thingbot—a botnet built exclusively from compromised devices. This process is actually pretty straightforward as illustrated by our researchers in “The Hunt for IoT Volume 3: The Rise of Thingbots:”

Thingbot_Attack_Sequence

What’s interesting (and disturbing) is the appearance of vigilante thingbots on the scene. Frustrated by an inability (or willingness) to address the issue of potentially billions of vulnerable devices available for the picking, some gray hats have taken matters into their own hands. They are crying "havoc" and letting loose the Thingbots of War.

The Thingbots of War, specifically, BrickerBot and Hajime, were launched with the intention to take out vulnerable IoT devices before attackers could weaponize them with Mirai. And these Thingbots of War can be quite mercenary in their behavior1. From the report:

“BrickerBot is a Permanent Denial-of-Service (PDoS) thingbot that destroys the IoT device permanently. The device will no longer function, let alone become infected again. Hajime infects an IoT device and blocks it from a Mirai infection but, like Mirai, a simple reboot is all that’s needed to reset the device to factory default settings, making it infectible again.”

Because a vigilante thingbot often uses the same recon phase to compromise a vulnerable device, it can appear to be just another attack. Existentially, it is. While the intentions of those deploying the Thingbots of War may be good, there’s a reason their creators are called “gray hats.” It’s hard to argue that preventing IoT devices from becoming thingbot #5,435,786 in the latest botnet collective isn’t good, but that responsibility lies on the shoulders of those who build them and deploy them. The fact is that Telnet port 23 should not be open to the Internet in the first place, and default credentials should be changed.

Persirai

On the shoulders of manufacturers lies the responsibility to address vulnerabilities, because the next generation of thingbots is taking advantage of known vulnerabilities to gain control of devices. Persirai is an adaptation of Mirai that shares code as well as command and control servers, but targets all models of IP cameras from a single Chinese manufacturer through a vulnerability released April 25, 2017.2 Two months later, over 600,000 cameras were known to be infected by Persirai. That’s an average of 10,000 devices per day infected. And it’s only one vulnerability. We know there are many more (thanks, Shodan) that haven’t been exploited. Yet.

But, like death and taxes, we’re certain many more devices will be infected. Given the historical behavior of manufacturers not addressing vulnerabilities, it’s unlikely they will change anytime soon. There’s nothing forcing them to do so, and they’ve already shown they aren’t willing to do so merely because it’s the right thing to do.

Faced with manufacturers who don’t seem to care any more than the organizations that deploy these devices, it’s not hard to empathize with the vigilantes employing thingbots to nip at the heels of the real enemy.

And they are only nipping at the heels of a much larger problem. There are millions of devices already infected. Based on our latest research, their efforts are not going to slow down the growth of thingbots. It’s debatable whether the black hats even notice that the devices taken out by the vigilantes are missing.

With billions of devices vulnerable and more on the way, the efforts of gray hats are not only illegal but likely ineffective—a drop in the bucket that fails to move the needle in an appreciable direction.

I can’t say it often enough that organizations need to be responsible for the things they attach to their networks, and manufacturers need to be held accountable for blatantly ignoring the need to patch vulnerabilities in their devices.

As always, if you’re attaching a thing to your network (whether at home or in the office) you absolutely need to:

  1. Change default passwords (prevention)
  2. Lock down Telnet and SSH access (prevention)
  3. Secure web interfaces by using a web application firewall (prevention)

Additionally, you may want to:

  1. Invest in an IoT gateway (prevention)
  2. Monitor for unusual intra-network traffic (detection)
  3. Watch for new initiators of outbound traffic (detection)

To read the full F5 Labs report, “The Hunt for IoT: The Rise of Thingbots”, click here.


MODIFIED: Sept 21, 2017

Tags: , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.