Don’t Fear the Reaper


Don’t Fear the Reaper

What’s Reaper? Reaper (a.k.a IotTroop) is the latest botnet threat which is specifically targeting IoT vulnerabilities. With over 1.2 million devices already impacted, Reaper is the the largest IoT bot attack to date and continuing to grow rapidly. Using multiple C2’s, each with 10s of thousands of unique active IPs daily, Reaper is gaining momentum with each new device it exploits. Reaper builds on parts of Mirai’s code, but rather than guessing passwords of the IoT devices, Reaper targets known security flaws (or vulnerabilities) of IoT devices. Infection starts by attacking public facing or internal IoT devices that are connected to the network. Reaper will then try to exploit, or take advantage, of known vulnerabilities of those IoT devices. Once Reaper is successful, the device is now under the control of the botnet operator.

The impacts of Reaper could go far beyond Mirai, because Mirai can be stopped by dealing with default passwords appropriately. However, since Reaper is exploiting the software vulnerabilities of IoT devices, many of these devices are rarely, if ever, patched or in some cases can’t be patched at all. These botnet attacks have two major challenges when trying to deal with them: first, if a person is diligent in patching (say monthly), there is still a chance that a new vulnerability could be found and exploited before the next patching cycle; second, the criminal who has infected an IoT device with Reaper may not use it for an attack for weeks, months or even a year after first infection. As a owner of this infected device, you may never know it was infected even after the attack has occurred.

Effective Protecting against IoT Bot Threats

To effectively address and protect against IoT bot threats requires a multi-pronged approach. Best security practices such as changing passwords and credentials on devices are obviously recommended, however, these are not always practical or even possible in some cases. Legislative and regulatory relief is on the horizon, but may likely be too little and too late.

Consumers should ideally insist on products from vendors that have auto-patching capabilities, as well as behavioral monitoring and alerting built into their solution.

Additionally, zvelo recommends the following to increase the protection for your customers:

  1. Use real-time feeds of Malicious and C2 sites to block devices/traffic to these sites – services such as the zveloDB (for web filtering applications) or zvelo’s Malicious Dataset feed (for ingestion into IPS applications) are designed to provide continuous updates of malicious, compromised, botnet and similar IPs and URLs to allow you to block traffic to known malicious and bad sites.
  2. Implement an IoT Security solution that provides device profiling and compromised device alerting – for enterprises, factories, SMBs and smarthomes, it is becoming virtually impossible for the SysAdmins to keep track of devices, let alone which devices have vulnerabilities or require patches (if patches are even possible). It is quickly becoming critical for router, hub, UTM, firewall and similar vendors to deploy the technology such as the zvelo IoT Security to perform automated, scalable and accurate device profiling, compromised device detection and alerting.

Additional Prevention Options

Preventing your IoT devices from contributing to botnets and exposing your home or enterprise to more nefarious dangers requires diligence. Research any IoT devices before making a purchase to ensure there are no known unpatched vulnerabilities. Using the National Vulnerability DAtabase (NVD) provided by NIST is an excellent way to check if your device has known issues.

The Shodan Database is a useful tool for checking what devices and services on your network are currently exposed to the internet. Make sure to use strong authentication (credentials like admin/admin are a recipe for disaster) and don’t use the same password for different services. Disable non-essential services on the device when possible, devices that have unencrypted services exposed such as telnet or FTP are easy recruits for botnets. Make sure to enable protocols like HTTPS and SSH to ensure all communication supports encryption and strong authentication. Deploy security gateways to inspect, audit, and control network communications allowing you to verify the integrity of data transfers. Always ensure devices are updated with the latest software/firmware.

If the presence of malware is suspected in a device; disconnect, reset it to factory settings, and install the latest patch before reconnecting. It is worth noting, however, that some devices are simply unpatchable and should be discarded entirely (in these cases a recall and refund may be available). With the wide array of useful functions that IoT devices deliver, security is essential to making sure these capabilities remain firmly in your own hands, and no one else’s.