The botnet battle rages on: Hackers already targeting financial sector in 2018 with new Mirai-style IoT botnets

Security researchers have uncovered a new variant of the infamous Mirai botnet that has already been used to launch distributed-denial-of-service (DDoS) attacks against at least three financial institutions in January 2018.

According to new report published by Recorded Future’s Insikt Group on Thursday, the new Mirai variant likely linked to the IoTroop or Reaper botnet was used to bombard multiple financial companies with internet traffic earlier this year to cripple their servers and disrupt operations.

Everything you need to know about IoTroop

Identified in October 2017, IoTroop comprised of various IoT devices such as routers and wireless IP cameras manufactured by TP-Link, MikroTik, Avtech, Linksys, Synology and GoAhead.

The aggressive malware powering the botnet, also known as Reaper, integrates a flexible Lua-based environment allowing the attacker to develop and carry out more complex attack scripts.

It is also capable of exploiting nearly a dozen IoT device vulnerabilities and does not just depend on exploiting default administrator credentials to compromise devices as the original Mirai did. It is still unclear who created the botnet and executed the January attacks.

The first attack took place on January 28 at 18:30 UTC using at least 13,000 devices, each with its own unique IP address, that unleashed up to 30Gb/s in traffic volumes.

The botnet involved in this attack was 80% comprised of compromised MikroTik routers that had TCP port 2000 open and the remaining 20% included various IoT devices such as TVs, webcams, DVRs and Apache and IIS web servers among others. Compromised devices from 139 different countries were involved in the botnet with the majority of the botnet clients came from Russia, Ukraine and Brazil.

Fresh DDoS attacks in January

During the weekend of January 27 to 28, a second financial firm was targeted by a DDoS that researchers believe was conducted using the same Mirai variant botnet. On January 28 at approximately 21:00 UTC, a third financial company was hit when it experienced high data volumes of TCP 443 events.

The researchers have identified several IP addresses believed to be the command and control servers or “controllers” engaged in the attack coordination and scanning of new infrastructure for the botnet. These include: 98.95.228.104, 71.68.32.251, 87.197.166.13, 87.197.108.40, 62.204.238.82 and possibly the top controller 84.47.111.62.

Insikt researchers have not named the companies targeted by the botnet or extent of the damage they incurred, but noted that they were global Fortune 500 firms. This is the first time an IoT botnet has been used in a major DDoS attack since Mirai and is likely the first time IoTroop has launched to target victims since it was first found in the wild last year.

Given the botnet’s rapid evolution since October 2017 to exploit vulnerabilities in more IoT devices, IoTroop is likely to grow in size and strength to launch much larger DDoS attacks against the financial sector in the future.

“As more data comes to light on the continued targeting of financial institutions from IoTroop, it will become increasingly important to monitor the potential controllers and identify new IoT devices behind added to the botnet in preparation for further attacks,” Recorded Future noted.

IoT botnets vs the financial ecosystem

In 2017, the world saw continued efforts by cybercriminals to target, disrupt and exploit the financial sector through aggressive malware like Trickbot, manipulation of SWIFT systems, cyber heists, PoS attacks, interception of online transactions through domain hijacking, phishing attacks ATM infections and other cybercrime.

The year also saw a wide swath of vulnerabilities identified in IoT devices that were often exploited by cybercriminals to create botnets such as IoTrooper and the Satori botnet. Kaspersky Lab ICS CERT identified 63 vulnerability in industrial and IIoT/IoT systems in 2017, 29 of which could be exploited by an attack to remotely cause DoS and 8 to remotely execute arbitrary code on the targeted system. Of the 63 vulnerabilities identified by Kaspersky, just 26 were closed by vendors, they noted.

After the first major botnet attack in 2016 with the emergence of Mirai, the public release of its source code in October 2016 saw additional, inspired threat actors steadily creating a string of variants to develop their own botnets and launch attacks by exploiting similar IoT device vulnerabilities.

Symantec researchers observed a 600% increase in overall IoT device attacks in 2017, signalling that threat actors are eager and capable of exploiting hordes of these connected devices on a larger scale.

“Attacks are so now so frequent that botnet operators are fighting over the same pool of devices and have to configure their malware to identify and remove malware belonging to other botnets,” researchers noted in their Internet Security Threat Report 2018.

As one of the most consistently targeted industrial sectors, the financial ecosystem is likely to remain a popular target for threat actors year after year not only because of its monetary appeal but due to the sensitive and value of the data it holds and protects. Many financial institutions are also increasingly moving their critical operations and infrastructure online and embracing IoT technologies and cloud services. However, this also opens them up to much more vulnerabilities and potential for compromise by sophisticated threat actors as well.

According to IBM X-Force’s Threat Intelligence Index 2018, financial services was the third-most targeted industry by hackers (17%) - after Information & Communications technology (33%) and Manufacturing (27%). However, it did experience more security incidents which required further investigation than any other industry. Over 76% of this activity involved injection attacks while 17% involved reconnaissance activity.

Rise of botnets

Botnet agents can be leveraged to execute various cybercriminal activities including searching for and stealing financial data or authentication data, sending spam, brute forcing passwords, conducting DoS or DDoS attacks, system data collection, attacking third-party resources and disrupting industrial operations or infrastructure.

Imperva researchers found the number of sophisticated bots with bypass capabilities shot up to 17% in the last three months of 2017 (Q4 2017), as compared to 7% in Q3. Additionally, 16.1% of bots in the fourth quarter were able to bypass both cookie and JavaScript challenges, up from just 1.8% in the previous quarter.

Attack persistence also increased significantly in Q4 2017 where 63.3% of targets were exposed to multiple DDoS attacks, up from 46.7% in the previous quarter. In the fourth quarter, 25.1% of attack victims were hit six or more times, as compared to 15.5% in the third quarter.

It is critical for financial institutions to place cybersecurity as a high priority, key objective and protect their assets, customers, automation systems and reputation from such attacks. This can be achieved through robust prevention, defence and incident response controls such as mature patch management processes, monitor net traffic to detect attacks endpoint protection controls, appropriate incident response procedures and up-to-date training to detect phishing and malware attacks.

As long as IoT and smart devices remain plagued by poor security, unchanged passwords, critical vulnerabilities and lax mitigation efforts, threat actors will continue to develop new and more powerful botnets to target the financial sector and beyond. Attackers have already begun scouring through other connected devices for additional pathways to execute disruptive and destructive attacks on critical infrastructure. As the playing field for hackers widens, underestimating the risks, frequency and sophistication of attacks targeting financial enterprises is no longer an option, particularly when the exploit options for cybercriminals are endless.