Over the December holidays, one of our researchers discovered proof of a much-theorized but we believe never before seen in the wild security breach.
Specifically, as the this researcher was analyzing email-borne threats (something they do on an ongoing basis), they observed that in a recent attack campaign, more than 25 percent of the malicious email (over 750,000 messages) came from things that were not conventional laptop or desktop computers, but rather members of the Internet of Things (IoT); a “Thingbot”-net*, as it were.
Specifically, we observed a series of campaigns:
- From Dec 23rd through Jan 6th
- Three campaigns per day, approximately 100k emails per campaign
- Over 450k unique IP addresses; over 100k were from IoT devices
A more detailed examination suggested that while the majority of mail was initiated by “expected” IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator.
Additionally, observing the devices:
- A vast number of the devices are running embedded linux servers (usually busybox)
- Some use mini-httpd, some apache
- Some are ARM devices, some are MIPS (or something very similar) others are based on an embedded Realtek chipset (eg PBO/Masscool/Ryan media players)
- We believe some are PS3s/Xboxes/WIIs
- Some are NAS devices (D-LINK and Netgear) . One specific brand has open telnet, open ssh and an SMTP server – all unsecurable.
- We’ve also seen set-top boxes (Dreamboxes, VU Duo2 Plus, and Melita Cable HD) exploited
This proof of a systematic compromise of IoT devices and its subsequent use of those Thingbots to further attack other networks is something we’ve never seen before — but suggests an unfortunate future for both home users and Enterprises, the latter of whom now faces an even larger volume of malicious attack capacity.
Worse, these compromised home appliances provide a mechanism where users can unknowingly expose their work environment to such attacks. All a user has to do is use a remote RDP connection, or conceivably simply take an action like checking their fridge from their work PC; if a classic drive-by or even a redirect has been installed, the work PC is now compromised (though this is arguably more farfetched). Clearly, as the trend towards smart devices and BYOD increases, the risk of Enterprise exposure increases correspondingly, exponentially.
Our conclusion? Further reiteration that the traditional Enterprise security approach to blocking entry of attacks solely at the email gateway won’t work; rather, focus should be on protecting the users at point of click (wherever that may be) and providing insight into user actions and attacker targeting.
But this is what we’ve seen – what has been your experience?
*With laptops, when they’re compromised, we refer to them as “Bots” – and a group would be a botnet, used to deliver high volumes of malicious email to unsuspecting end-users. What we’ve found is the next evolution, derived from the rise of the Internet of Things (IoT) – Thingbots; smart devices that have been compromised.