Botnets built exclusively from IoT devices have very much become a ‘thing, with their own name – thingbots – and they are now becoming a primary infrastructure for a future darknet according to a report from cybersecurity firm F5 Networks.
The report describes how the company has tracked Telnet attack activity (from January 1 to June 30, 2017) the progression of Mirai, as well as a new thingbot called Persirai.to uncover the progression of thingbot-based attacks, as well as the reasoning behind these changes.
Key findings of the report include:
· Telnet attack activity grew 280 percent from the previous six months, including massive growth due to the emergence of Mirai malware and subsequent attacks
· 93 percent of this period's attacks occurred in January and February while activity significantly declined between March and June. This could mean that hackers have completed reconnaissance of vulnerable devices and are now building up massive botnets
· The top attack country in the past six months was Spain, launching 83 percent of all attacks, while the previously high activity from China declined significantly, contributing less than one percent to the total attack volume
· The attacks from Spain all originated from a single hosting provider, called SoloGigabit that had a ‘bulletproof' reputation
· The top 50 attacking IP addresses resolve to internet service providers, telecoms companies and hosting providers
· IoT devices have also been subject to hacktivism attacks and are the target of nation-state cyber warfare attacks
The report also shows that although IoT devices are known for launching DDoS attacks, they're also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks* and to host banking trojan infrastructure.*
The Persirai botnet shows how attackers are now building thingbots based on specific disclosed vulnerabilities* rather than having to launch a large recon scan followed by brute forcing credentials – simplifying the attackers job.