Menu

IoT FEATURE NEWS

NbotLoader: IOT threats evolve to remain effective

By Special Guest
Ankit Anubhav, Principal Researcher, NewSky Security Inc.
July 17, 2017

Since its advent, Cybersecurity has borrowed two attributes of security in general. The security for the Internet of Things complies to these two attributes. First attribute is continuous evolution of threats. With more awareness and ever improving efforts of White Hat researchers, threats must evolve to stay effective. The second attribute lies in "intelligent attack" i.e. to go for the weakest link in a security chain. We will be taking IOT Malware NBotLoader as a case study to go deeper into how these trends are carried on into the realm of IOT Security.

(Editor's note: These issuses and many others are being addressed, beginning today at the IoT Evolution Expo at Caesars Palace in Las Vegas, during the IoT Security Certification workshop.)

Exploit vs Default Passwords
The initial threats for Windows originated as exe files being sent as attachments via spam mails. This trend couldn’t continue further as various email providers as well as basic firewalls barred an exe to be sent as attachment. This started a cat and mouse game between attackers and security providers which ended at exploits. Regardless of the type of threat i.e. whether it is Windows or IOT, the race often stops at exploits since this is one thing which the security solutions don’t have control on and they might not protect the user from a zero day they themselves are not aware of.

IOT threats started with a simple attack vector i.e. to try to access the device via hit and trial of few known default passwords. Simple as it may sound, it proved to be effective as often IOT devices still have the factory credentials like username:admin, password:admin. This was abused by Bashlite, Mirai etc. to get access to a huge number of IOT devices.

However, after the news on Mirai broke out, there has been an increasing number of aware users who change the default password, hence rendering this approach useless. For the attackers to breach through strong passwords and to remain relevant, a new approach had to be added.

NbotLoader
We see the same trend in the IOT threat NBotLoader which uses a known exploit BID 60281 to get control of NetGear routers DGN1000 and DGN2200 which are unpatched. As seen in the video here, one can easily get access to these routers using the publicly available exploit. This bug can be (and has already been converted in hacking forums) morphed to a weaponized exploit script which runs this bug, extracts credentials, logs in using these credentials and runs payload to make the device part of a botnet of their desire.

Windows exploit vs IOT exploit
Many IOT exploits differ from Windows exploits when it comes to complexity. Often IOT exploits are not as complicated as Windows exploits, and most of them don’t need an extensive knowledge of Operating System internals. As a result, several IOT exploits keep popping up, and this data gets freely shared in various hacking forums creating more effective distros of these malwares. Also unlike many Windows exploits, IOT exploits often don’t need the system to crash to operate, hence having a better success rate.

The state of things of Router Security
As we discussed before, smart attackers often tend to go towards the weakest link in the attack chain. With still relatively low levels of awareness when it comes to router security, hackers can get access using default passwords or in some other cases, using an exploit.

While doing a simple search on shodan, we can see than about 66,000+ routers are hacked with their name changed to "HACKED-ROUTER-HELP-SOS”. However, they are still live, exposed on internet, and life goes on.

Hacked routers might not get a lot of attention like windows ransomwares, hence assisting attackers to remain in low profile and continue their practices.

Why Router Security Matters
Router differ from other IOT because once they are compromised, they can not only be used to ddos via popular IOT botnets, but also router settings can be changed to redirect all traffic to malicious servers and sniff data. Hence this approach can be equally effective to a password stealer / RAT. Since there is no payload executable involved and the evil lies in the router (and not in the system), it makes the work of a traditional Antivirus difficult when it comes to prevention and remediation.

Conclusion
Routers, and in general any IOT can be much secure if some precautions are taken.

Default passwords must be changed immediately to a strong one. This will provide protection against simple IOT attacks.

Besides strong passwords, the firmware of the device must be updated to the latest version and IOT security updates should be taken as seriously as a Windows Update. Most of the IOT exploits are forked from proof of concept of known CVEs, and there is a high probability that since the vulnerability is public, the IOT vendors would have already been offering a security patch for it. With these precautions, we can make our devices more secure from the ever evolving IOT threats.


 


SHARE THIS ARTICLE
Related Articles

Deloitte Selects Miami Based Unified Technologies for Caribbean Cyber Security Alliance

By: Ken Briodagh    8/16/2017

Unified Technologies, an IT solutions provider with operations in the Caribbean and North America, has announced a newly established Cyber Security Al…

Read More

InfoSec Veteran Mike Ahmadi to join DigiCert as Global Director of IoT Security

By: Ken Briodagh    8/16/2017

Ahmadi brings decades of leadership and advocacy in critical infrastructure security, including active participation in several standards creation gro…

Read More

IoT Time Podcast S.2 Ep.43 Nokia

By: Ken Briodagh    8/16/2017

On this episode of the IoT Time Podcast, Ken Briodagh sits down with Khamis Abulgubein, PLM, Emerging IoT Applications at Nokia.

Read More

To Build or To Buy: That is the Question

By: Ken Briodagh    8/15/2017

When a company seeks to implement an IoT solution, the decision of whether or not to build a custom tool or platform is no less dire. It can mean the …

Read More

Speed is King in Florida as Verizon, Ericsson and Qualcomm Approach 1G Wireless

By: Arti Loftus    8/15/2017

As we move closer to a 5G world, a new age of intelligent, connected devices is paving the way towards more reliable and faster performance.

Read More