Content, Network Security, Breach

The IoTroop/Reaper Botnet: IoT Cyber Zombies Are Real

There’s primal dread in the words “a storm is coming.” Late last week, security monitors Check Point and China’s Qihoo 360 said exactly that about an Internet of Things (IoT) botnet they recently found and termed “IoTroop,” (some are calling it “The Reaper,” noticeably omitting “Grim”).

Don’t dismiss the wording as trivial, it’s meant to simultaneously alert and alarm us. Had Check Point stopped right there it would have been enough work for one day. Still, forewarned is forearmed. IoT cyber zombies are officially a thing, the researcher said, not a one-off, as many of us lapsed into thinking following 2016’s (“what just happened?”) Mirai DDoS attack that has hijacked more than 2.5 million devices and crippled the Internet for a time.

Imagine an uncountable army of lobotomized Internet-facing smart devices all infected by the same malware and remotely controlled joystick-like by unseen bad guys. As lip-smacking as that may be for the IoTroop/Reaper crews, botnets aren’t easy lifts. To impart the greatest damage requires commandeering and steering a boundless number of devices compromised not one at a time by the puppeteer but instead transmitted by one to another, hence the zombies.

“Our research suggests we are now experiencing the calm before an even more powerful storm,” Check Point said in a blog post. “The next cyber hurricane is about to come.” According to the company’s researchers, this second cousin once-removed is more tenacious and sophisticated than Mirai, “evolving and recruiting IoT devices at a far greater pace and with more potential damage” than its predecessor. By Check Point’s early returns, in less than 30 days IoTroop/Reaper's campaign has soured some one million organizations with the bug. Millions more may be in the queue.

At this point, no one knows for certain what the “threat actors” want but there’s urgency for any organization worldwide to prepare themselves ahead of an attack, Check Point said, suggesting again that more are on the way. Warnings of IoTroop/Reaper’s activity first emerged in late September when Check Point said its Intrusion Prevention System (IPS) picked up signals that hackers were probing wireless IP Camera devices. Then the hallmark of a botnet attack showed itself: “It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves...Following this suspicious activity, we soon realized we were witnessing the recruitment stages of a vast IoT botnet,” Check Point wrote.

Security pros have said for years that the still embryonic IoT, with its 8.4 billion connected devices but sorely limited defenses, is too juicy a target for big-thinking hackers to bypass. Telling evidence is in IoTroop/Reaper’s methodology: Rather than guessing default logins and passwords to gain entry to poorly constructed IoT devices as did Mirai, the new bug uses common security flaws and tools to pry its way inside. In that sense, the IoT’s nursery -- targets such as hospitals, national transport hubs and telecoms -- are but the cheap seats.

As expected, IoTroop/Reaper is drawing reaction from security experts. “Attacks on IoT devices will be a credible threat to networks and ecosystems unless proper steps to mutually authenticate the devices to their respective networks is mandated for all IoT devices,” said Damon Kachur, Comodo’s head of IoT Solutions.

Indeed, word of IoTroop/Reaper couldn’t have been more fortuitous for security defenders, considering just days earlier the FBI cautioned of a “growing concern of cyber criminals targeting unsecure Internet of Things (IoT) devices.” At the same time, researcher IDC calculated that worldwide security spending will climb to some $120 billion by 2021.

It appears the money will have to be well spent to bust up the botnet cartels.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

You can skip this ad in 5 seconds