NbotLoader: IOT threats evolve to remain effective

By Special Guest
Ankit Anubhav, Principal Researcher, NewSky Security Inc.
July 17, 2017

Since its advent, Cybersecurity has borrowed two attributes of security in general. The security for the Internet of Things complies to these two attributes. First attribute is continuous evolution of threats. With more awareness and ever improving efforts of White Hat researchers, threats must evolve to stay effective. The second attribute lies in "intelligent attack" i.e. to go for the weakest link in a security chain. We will be taking IOT Malware NBotLoader as a case study to go deeper into how these trends are carried on into the realm of IOT Security.

(Editor's note: These issuses and many others are being addressed, beginning today at the IoT Evolution Expo at Caesars Palace in Las Vegas, during the IoT Security Certification workshop.)

Exploit vs Default Passwords
The initial threats for Windows originated as exe files being sent as attachments via spam mails. This trend couldn’t continue further as various email providers as well as basic firewalls barred an exe to be sent as attachment. This started a cat and mouse game between attackers and security providers which ended at exploits. Regardless of the type of threat i.e. whether it is Windows or IOT, the race often stops at exploits since this is one thing which the security solutions don’t have control on and they might not protect the user from a zero day they themselves are not aware of.

IOT threats started with a simple attack vector i.e. to try to access the device via hit and trial of few known default passwords. Simple as it may sound, it proved to be effective as often IOT devices still have the factory credentials like username:admin, password:admin. This was abused by Bashlite, Mirai etc. to get access to a huge number of IOT devices.

However, after the news on Mirai broke out, there has been an increasing number of aware users who change the default password, hence rendering this approach useless. For the attackers to breach through strong passwords and to remain relevant, a new approach had to be added.

We see the same trend in the IOT threat NBotLoader which uses a known exploit BID 60281 to get control of NetGear routers DGN1000 and DGN2200 which are unpatched. As seen in the video here, one can easily get access to these routers using the publicly available exploit. This bug can be (and has already been converted in hacking forums) morphed to a weaponized exploit script which runs this bug, extracts credentials, logs in using these credentials and runs payload to make the device part of a botnet of their desire.

Windows exploit vs IOT exploit
Many IOT exploits differ from Windows exploits when it comes to complexity. Often IOT exploits are not as complicated as Windows exploits, and most of them don’t need an extensive knowledge of Operating System internals. As a result, several IOT exploits keep popping up, and this data gets freely shared in various hacking forums creating more effective distros of these malwares. Also unlike many Windows exploits, IOT exploits often don’t need the system to crash to operate, hence having a better success rate.

The state of things of Router Security
As we discussed before, smart attackers often tend to go towards the weakest link in the attack chain. With still relatively low levels of awareness when it comes to router security, hackers can get access using default passwords or in some other cases, using an exploit.

While doing a simple search on shodan, we can see than about 66,000+ routers are hacked with their name changed to "HACKED-ROUTER-HELP-SOS”. However, they are still live, exposed on internet, and life goes on.

Hacked routers might not get a lot of attention like windows ransomwares, hence assisting attackers to remain in low profile and continue their practices.

Why Router Security Matters
Router differ from other IOT because once they are compromised, they can not only be used to ddos via popular IOT botnets, but also router settings can be changed to redirect all traffic to malicious servers and sniff data. Hence this approach can be equally effective to a password stealer / RAT. Since there is no payload executable involved and the evil lies in the router (and not in the system), it makes the work of a traditional Antivirus difficult when it comes to prevention and remediation.

Routers, and in general any IOT can be much secure if some precautions are taken.

Default passwords must be changed immediately to a strong one. This will provide protection against simple IOT attacks.

Besides strong passwords, the firmware of the device must be updated to the latest version and IOT security updates should be taken as seriously as a Windows Update. Most of the IOT exploits are forked from proof of concept of known CVEs, and there is a high probability that since the vulnerability is public, the IOT vendors would have already been offering a security patch for it. With these precautions, we can make our devices more secure from the ever evolving IOT threats.


Related Articles

EdgeX Foundry: Less Than a Year Later

By: Cynthia S. Artin    11/22/2017

Perhaps the "Real IoT" - in particularly the "Real Industry IoT" - is, if not a fine wine, a vision that needed to ferment a little longer, and like a…

Read More

IoT Time Podcast S.2 Ep. 54: GE Automation and Controls

By: Ken Briodagh    11/21/2017

In this episode of IoT Time Podcast, Ken Briodagh sits down with Rob McKeel, CMO, GE Automation and Controls

Read More

Get Smart: Powering Smart Cities with Network Connectivity

By: Special Guest    11/21/2017

A smart city aims to improve quality of life for its citizens by harnessing technology to connect infrastructures, resources and services, making the …

Read More

Rongwen and Silver Spring Networks Connect Smart Lighting in China

By: Ken Briodagh    11/21/2017

Major Chinese Smart City Project Uses Standards-Based RF Mesh and IPv6 Technology in Guangzhou to Reduce Energy Consumption

Read More

Avnet Launches First Americas-Based Design Center of Excellence

By: Ken Briodagh    11/21/2017

State-of-the-art facility focuses on design and engineering, bringing continued support to all stages of the product lifecycle

Read More