Menu

IoT FEATURE NEWS

NbotLoader: IOT threats evolve to remain effective

By

Since its advent, Cybersecurity has borrowed two attributes of security in general. The security for the Internet of Things complies to these two attributes. First attribute is continuous evolution of threats. With more awareness and ever improving efforts of White Hat researchers, threats must evolve to stay effective. The second attribute lies in "intelligent attack" i.e. to go for the weakest link in a security chain. We will be taking IOT Malware NBotLoader as a case study to go deeper into how these trends are carried on into the realm of IOT Security.

(Editor's note: These issuses and many others are being addressed, beginning today at the IoT Evolution Expo at Caesars Palace in Las Vegas, during the IoT Security Certification workshop.)

Exploit vs Default Passwords
The initial threats for Windows originated as exe files being sent as attachments via spam mails. This trend couldn’t continue further as various email providers as well as basic firewalls barred an exe to be sent as attachment. This started a cat and mouse game between attackers and security providers which ended at exploits. Regardless of the type of threat i.e. whether it is Windows or IOT, the race often stops at exploits since this is one thing which the security solutions don’t have control on and they might not protect the user from a zero day they themselves are not aware of.

IOT threats started with a simple attack vector i.e. to try to access the device via hit and trial of few known default passwords. Simple as it may sound, it proved to be effective as often IOT devices still have the factory credentials like username:admin, password:admin. This was abused by Bashlite, Mirai etc. to get access to a huge number of IOT devices.

However, after the news on Mirai broke out, there has been an increasing number of aware users who change the default password, hence rendering this approach useless. For the attackers to breach through strong passwords and to remain relevant, a new approach had to be added.

NbotLoader
We see the same trend in the IOT threat NBotLoader which uses a known exploit BID 60281 to get control of NetGear routers DGN1000 and DGN2200 which are unpatched. As seen in the video here, one can easily get access to these routers using the publicly available exploit. This bug can be (and has already been converted in hacking forums) morphed to a weaponized exploit script which runs this bug, extracts credentials, logs in using these credentials and runs payload to make the device part of a botnet of their desire.

Windows exploit vs IOT exploit
Many IOT exploits differ from Windows exploits when it comes to complexity. Often IOT exploits are not as complicated as Windows exploits, and most of them don’t need an extensive knowledge of Operating System internals. As a result, several IOT exploits keep popping up, and this data gets freely shared in various hacking forums creating more effective distros of these malwares. Also unlike many Windows exploits, IOT exploits often don’t need the system to crash to operate, hence having a better success rate.

The state of things of Router Security
As we discussed before, smart attackers often tend to go towards the weakest link in the attack chain. With still relatively low levels of awareness when it comes to router security, hackers can get access using default passwords or in some other cases, using an exploit.

While doing a simple search on shodan, we can see than about 66,000+ routers are hacked with their name changed to "HACKED-ROUTER-HELP-SOS”. However, they are still live, exposed on internet, and life goes on.

Hacked routers might not get a lot of attention like windows ransomwares, hence assisting attackers to remain in low profile and continue their practices.

Why Router Security Matters
Router differ from other IOT because once they are compromised, they can not only be used to ddos via popular IOT botnets, but also router settings can be changed to redirect all traffic to malicious servers and sniff data. Hence this approach can be equally effective to a password stealer / RAT. Since there is no payload executable involved and the evil lies in the router (and not in the system), it makes the work of a traditional Antivirus difficult when it comes to prevention and remediation.

Conclusion
Routers, and in general any IOT can be much secure if some precautions are taken.

Default passwords must be changed immediately to a strong one. This will provide protection against simple IOT attacks.

Besides strong passwords, the firmware of the device must be updated to the latest version and IOT security updates should be taken as seriously as a Windows Update. Most of the IOT exploits are forked from proof of concept of known CVEs, and there is a high probability that since the vulnerability is public, the IOT vendors would have already been offering a security patch for it. With these precautions, we can make our devices more secure from the ever evolving IOT threats.


 
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


SHARE THIS ARTICLE
Related Articles

I've Asked the Security Experts, But It's Time You Have Your Say

By: Carl Ford    6/27/2025

Security experts are quick to say they know what's happening, but here's your opportunity to weigh in on the state of cybersecurity in IoT.

Read More

Mary Meeker Returns with AI and Breezes Past AIoT

By: Carl Ford    6/26/2025

We are entering an era where intelligence is not just embedded in digital applications, but also in vehicles, machines, and defense systems

Read More

Nothreat Fights AI Fire with AI in Firewalls

By: Carl Ford    6/26/2025

According to Nothreat, the only way to fight AI cyber threats in IoT with AI is to go beyond detection and into active containment, deception, and aut…

Read More

How Kapitus is Reshaping SMB Funding

By: Carl Ford    6/16/2025

Kapitus is a financial institution that provides various financing solutions to SMBs, operating as both a direct lender and a financing marketplace.

Read More

Slicing Up the Network with 5G SA: An Interview with Telit Cinterion's Stan Gray

By: Carl Ford    6/10/2025

Carl Ford speaks with Stan Gray about 5G SA, network slicing, and trends, challenges, and opportunities related to both.

Read More