Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
214 West 29th St, 5th Floor
New York, NY 10001
1.800.682.1707
SecurityScorecard.com
©2017 SecurityScorecard Inc.
Analysis of Q3 2017 Mirai ActivitySECURITYSCORECARD R&D DEPARTMENT
IOT MALWARE REPORT
www.securityscorecard.com2
OverviewFrom July to September 2017, SecurityScorecard identified 34,062
IPv4 addresses on the public internet which all display the symptoms
expected from an embedded device infected with Mirai IoT malware.
Through its examination–where the team analyzed captured data
of incoming connections and payloads to telnet ports of deception
platforms that matched patterns of known Mirai propagation
attempts–SecurityScorecard found that even a year after the initial
release, Mirai botnet infections are still widespread, a troubling
indicator of the lack of well-established cybersecurity practices across
all industries.
Additionally, SecurityScorecard’s examination revealed that Mexico
has made an unexpected rise to the top of the list when it comes to
countries with infected IoT devices.
Background: Mirai Botnet and FamilyThis time last year, Mirai botnets took down major websites, such
as music-streaming and social media sites. (A reminder of how
this happened: By harnessing 1TB/s of compromised traffic, self-
propagating Mirai botnets were used in a DDoS attack against
DynDNS, an infrastructure company that handles massive amounts of
communications for a large number of websites.)
Since then, many other malware attacks have been levied upon
companies across the globe, taking their services down and affecting
millions of users. The self-propagating nature of the Mirai botnet
means that when one malware infection compromises a device, this
device can then be leveraged to infect many other devices. This
www.securityscorecard.com3
pool of resources is then used to target enterprises for malicious and
profit-driven motives. In addition to malware for DDoS attacks, there
is a significant emergence of cryptocurrency-mining malware that is
being deployed on infected IoT devices–allowing hackers to monetize
resources without drawing unwanted attention.
Mexico on the Map with Mirai
The top five affected countries for Mirai activity in the third quarter of
2017 were:
1. Mexico
2. China
3. Brazil
4. US
5. Turkey
While China, the U.S., Brazil, and Turkey are frequently listed as
countries heavily impacted by attack feeds, the emergence of Mexico
bypassing China in number of unique IP addresses infected is an
interesting development.
The explanation for Mexico claiming the number one spot is likely a
byproduct of the significant regional efforts that are taking place for
the implementation of widespread IoT technologies. Mexico has been
at the forefront for the adoption and expansion of IoT systems, such
as the recent availability of a regional dedicated communications
service specifically geared towards IoT.
It’s no surprise that in an environment where an emerging technology
is being rapidly adopted at a large scale, speed of deployment is
sometimes prioritized over necessary security practices during
implementation.
Fig 3 - Pie Chart of Geographical Activity for Mirai during Q3-2017
www.securityscorecard.com4
More IoT Devices at the Enterprise and Consumer Level Results in a Visible Impact Across Industry Types
Breaking down the data by industry revealed the top five industries
that were most affected by Mirai variants in the third quarter of 2017.
1. Education
2. Energy
3. Manufacturing
4. Entertainment
5. Financial Services
Given the high number of IoT devices at a consumer level and the
increase of IoT devices used at an enterprise level, it’s no surprise
these industries rank higher than some of their counterparts. For
example, college students are active buyers of IoT devices and the
energy and manufacturing industries routinely incorporate IoT devices
at the enterprise level.
* Note that when looking at industry breakdown, domains categorized as Telecommunications/Technology/Information Services’ should be interpreted carefully. These domains may consist of domain/IPs that belong to residential users as opposed to business users (especially in the case of Telecommunications) these domains are considered unattributed from the standpoint of enterprise IP attribution mapping.
Fig 2 - Bar Graph of Industries
www.securityscorecard.com5
Results of the Propagation ObservationsMirai Points to a Need for Improved Cybersecurity Practices
SecurityScorecard identified 184,258 IPv4 addresses as IoT devices
infected with Mirai IoT malware from August 1, 2016 to July 31, 2017.
While the sheer magnitude of the number of infected devices alone
serves as a strong reminder to information security practitioners to
establish processes that maintain cybersecurity hygiene, the over
30,000 infected IoT devices identified this year shines a spotlight on
the need for an increased focus on maintaining cybersecurity health.
Fig 1 - Geographical map representing spread of Mirai - Q3-2017
The red dots indicate the distribution of infected devices.
www.securityscorecard.com6
ConclusionsWhile the rise of IoT attacks in Mexico is likely to continue, the
necessity for secure configurations may eventually result in valuable
IoT security research coming from engineers and hackers in Mexico.
As persistent IoT threats evolve and new threats emerge, it is critical
for enterprises to develop a risk management and monitoring system
that addresses the complexities of the IoT landscape - a landscape
made more complicated by dynamic attack vectors, a patchwork
of new industry standards, and compounded risks created by the
growing risk ecosystem of companies.
IP Attribution MethodologyThe methodology behind industry identification of IPv4 addresses
for this case study resides in the IP attribution system that
correlates exposed digital assets with affected enterprises. The
SecurityScorecard platform checks multiple data points of external
identifiers to attribute the asset to an owner, even with the asset
resides in a third party network - such as a cloud provider or off-site
facility.
www.securityscorecard.com7
Data Collection MethodologyTo collect the data that was discussed in the report, SecurityScorecard
makes use of an array of internally developed analyst scripts, as
well as a hardware implementation of the CDS Enterprise Deception
Platform developed by Cyber Detection Services of Nashville, TN.
The CDS Enterprise Deception Platform consists of hardware
deployed in data centers which provide IPv4 addresses that within
CIDR numbers that are under constant, sustained attack. These
neighboring IPv4 addresses are host to an array of financial services,
ecommerce providers, and other high value targets within the Fortune
1000.
Vulnerable enterprise network configurations are emulated and
broadcast to the public internet, appearing as attractive targets to
automated scans, attack scripts, and individual human attackers.
Incoming connection attempts are accepted, and vulnerable
conditions are surfaced. Attackers are caught in a loop of false
positive validation, while incoming payloads and associated IP
addresses are captured.
Captured attack data undergoes a followup inspection by the SSC
IP Attribution engine to determine the enterprise using the IPv4
address and associated industry. Threat intelligence analysis engines
then inspect payloads for classification of known attacks, well as
the identification unidentified, unique payloads that may indicate an
emerging threat.
www.securityscorecard.com8
About SecurityScorecardSecurityScorecard offers an exclusive security rating platform able to
determine the security risk of any organization on the internet. Our
proprietary SaaS offering helps enterprises gain operational command
of their security postures and across all of their partners, and vendors.
SecurityScorecard provides continuous, non-intrusive monitoring
for any organization including third and fourth parties. The platform
offers a breadth and depth of critical data points not available from
any other service provider including a broad range of risk categories
such as Application Security, Malware, Patching Cadence, Network
Security, Hacker Chatter, Social Engineering and Leaked Information.
To receive a free, instant SecurityScorecard report about your
company, visit https://instant.securityscorecard.com