The number of connected devices is increasing at a staggering pace. Statista estimates that by 2025, that number will reach up to 75.4 billion globally, assuring their presence in practically every sector. This rapid increase is creating security concerns, especially in relation to recent botnets like Satori, which infect devices with cryptocurrency mining software.
In this post, we take a look at some of the most dangerous botnets, as well as some of the ways that they can be combatted to protect the IoT.
Risks posed by IP cameras
As we commented in a previous blogpost, the ease of installation and low costs have popularized IP cameras, causing many companies and security providers to opt for them instead of traditional CCTV systems. But like any other IoT device, they are susceptible to being hacked remotely.
This risk is exploited by the Hide ‘N Seek (HNS) botnet. This network of bots is capable of infecting a series of devices through a specific Peer-to-Peer (P2P) protocol, using the Reaper vulnerability. Your current version can receive and execute various types of commands to extract data, execute code, or cause interference in device operations. In an attack detected in January of this year, more than 20,000 infected devices were registered, the majority of them IP cameras.
Satori is a modified version of the Mirai open source botnet. This botnet is also capable of remotely controlling connected devices. In fact, Mirai was involved in distributed denial of service (DDoS) attacks that paralyzed DNS provider Dyn in 2016. Since Dyn was the provider of companies such as Amazon, Netflix and Twitter, Mirai managed to paralyze much of the internet for a few hours.
But Satori is capable of much more: last January it was discovered that a variant exploits a vulnerability of the Claymore Miner cryptocurrency program. After taking control of the software, Satori replaces the address of the user’s wallet with a wallet controlled by the attacker. The attacker then receives all the user’s cryptocurrencies and the user is none the wiser until they review the software configuration manually.
The Masuta botnet is another creation of the Satori authors. In this case, Masuta takes advantage of the routers’ vulnerabilities in two different ways. On the one hand, they access devices using the factory configuration credentials, in a similar way to the Mirai botnet. On the other hand, the PureMasuta variant uses an old bug found in the Home Network Administration Protocol (HNAP). Fortunately, fewer and fewer router models maintain this protocol by default.
How to stay protected against botnets
As with any network, our connected devices can never achieve absolute invulnerability, but we can prevent possible attacks and be better prepared for when they are directed at our devices through specific recommendations for each case.
If we want to install a surveillance system, it is advisable to use cameras connected by cables instead of wireless. A wireless network multiplies the options for attackers to introduce some type of malware into the system. It is also preferable to maintain an in-house server to manage the data of the surveillance system (instead of using an externalized server). In this way, the likelihood of unauthorized access to the system is greatly reduced.
With regard to cryptocurrencies, the safest activity to manage them is their storage in a physical wallet (hardware devices similar to a pen drive that are connected by USB). These wallets store private keys and make it possible to sign transactions without exposing them.
As for routers, the best recommendation against attacks by botnets that use old vulnerabilities is to make sure that they have the latest firmware updates and use more modern and secure protocols, such as the upcoming WPA3.
Finally, as a general recommendation, it is necessary to monitor the traffic of your company’s network at all times to avoid unauthorized access. For this, solutions such as Panda Adaptive Defense 360 give you absolute control of all data on the corporate network, monitoring, registering, and categorizing 100% of all active processes. The best way to avoid being attacked by a botnet is to have visibility of everything that happens on your company, minimizing attack vectors.