New virus Reaper infected 2 million IoT devices
The company Cyber Intelligence Check Point Research has discovered the Reaper virus, which attacks devices connected to the Internet of Things. The company reports that the virus spreads much faster than Mirai, which was "sensational" in 2016. By some estimates, he has already infected two million IoT devices.
/ Flickr / cali4beach / CC
The Mirai virus has shown what an attack of infected devices connected to the Internet of Things can turn into. In September 2016, Brian Krebs published an article on groups that sell botnet services for DDoS attacks. After that, one of the most powerful DDoS attacks in the history with 665 Gbit / s traffic hit the site.
')
As for the new virus, the Reaper has a certain similarity with Mirai, but in fact it is a completely new and much more complex malware that is rapidly spreading around the world. So write in your blog Check Point Research.
However, the new virus uses known vulnerabilities of devices. The Reaper database contains information about the devices of the following companies: D-Link, Netgear, Linksys, AVTech, Vacron, JAWS and GoAhead.
Some of these manufacturers have already released security updates, but not all users have installed them. Therefore, many devices are still at risk.
Commenting on the situation, Nadir Izrael (Nadir Izrael), a co-founder of Armis, the company providing security for the Internet of things, pointed to the problem of updates.
He noted that most of the connected devices are not so easy to upgrade. According to him, many of them do not have a normal interface, understandable to users and IT professionals. Some have a standard password that the owner may not know. And the part does not support updates at all.
Experts analyzed the code Reaper and found that the malware is able to conduct DDoS-attacks, but they have not yet been. Probably, the author of the virus is waiting for it to spread around the world.
Infected devices automatically send the virus to other connected gadgets — according to Check Point Research, approximately 60% of corporate networks that are part of the global ThreatCloud network “handle” this.
For example, to connect to the GoAhead IP camera's botnet, vulnerability CVE-2017-8225 is used . The infected device's System.ini file contains a netcat command that establishes a connection with the attacker's system. After that, the gadget independently begins to search for other "victims". Similarly, the virus hits 10,000 new devices daily.
The security of the Internet of things is a pressing issue. According to HP research , 80% of devices do not require users to enter complex passwords. This is what Mirai used at the time: he had 60 common login-password pairs in his database. Simple selection allowed the virus to infect 400-500 thousand devices.
There is even a special search engine Shodan, in which you can find information about 100 million connected devices, including weak ones. Just enter the query default password or similar.
An HP study also found that 60% of devices did not use encryption during the upgrade. Due to this, attackers can intercept the update file and embed third-party code into it.
Also recently discovered a vulnerability in the WPA2 security protocol, which is used to establish Wi-Fi connections. And Wi-Fi is used by a number of IoT devices. The type of attack on WPA is called KRACK and allows an attacker to force network members to reinstall encryption keys that protect traffic.
During key override, the number of the transmitted packet and the number of the received packet are reset to their initial values. Attack breaks PeerKey, group key and Fast BSS Transition (FT) handshake. An attacker has the ability to decrypt packets and inject malicious code into TCP streams.
The KRACK method is universal and works against any devices connected to a Wi-Fi network. That is, in addition to IoT devices, all users of Android, iOS, Windows, Linux, etc., are at risk.
PS Other materials from our blog:
/ Flickr / cali4beach / CC
The Mirai virus has shown what an attack of infected devices connected to the Internet of Things can turn into. In September 2016, Brian Krebs published an article on groups that sell botnet services for DDoS attacks. After that, one of the most powerful DDoS attacks in the history with 665 Gbit / s traffic hit the site.
')
As for the new virus, the Reaper has a certain similarity with Mirai, but in fact it is a completely new and much more complex malware that is rapidly spreading around the world. So write in your blog Check Point Research.
However, the new virus uses known vulnerabilities of devices. The Reaper database contains information about the devices of the following companies: D-Link, Netgear, Linksys, AVTech, Vacron, JAWS and GoAhead.
Some of these manufacturers have already released security updates, but not all users have installed them. Therefore, many devices are still at risk.
Commenting on the situation, Nadir Izrael (Nadir Izrael), a co-founder of Armis, the company providing security for the Internet of things, pointed to the problem of updates.
He noted that most of the connected devices are not so easy to upgrade. According to him, many of them do not have a normal interface, understandable to users and IT professionals. Some have a standard password that the owner may not know. And the part does not support updates at all.
Experts analyzed the code Reaper and found that the malware is able to conduct DDoS-attacks, but they have not yet been. Probably, the author of the virus is waiting for it to spread around the world.
Infected devices automatically send the virus to other connected gadgets — according to Check Point Research, approximately 60% of corporate networks that are part of the global ThreatCloud network “handle” this.
For example, to connect to the GoAhead IP camera's botnet, vulnerability CVE-2017-8225 is used . The infected device's System.ini file contains a netcat command that establishes a connection with the attacker's system. After that, the gadget independently begins to search for other "victims". Similarly, the virus hits 10,000 new devices daily.
Internet of vulnerable things
The security of the Internet of things is a pressing issue. According to HP research , 80% of devices do not require users to enter complex passwords. This is what Mirai used at the time: he had 60 common login-password pairs in his database. Simple selection allowed the virus to infect 400-500 thousand devices.
There is even a special search engine Shodan, in which you can find information about 100 million connected devices, including weak ones. Just enter the query default password or similar.
An HP study also found that 60% of devices did not use encryption during the upgrade. Due to this, attackers can intercept the update file and embed third-party code into it.
Also recently discovered a vulnerability in the WPA2 security protocol, which is used to establish Wi-Fi connections. And Wi-Fi is used by a number of IoT devices. The type of attack on WPA is called KRACK and allows an attacker to force network members to reinstall encryption keys that protect traffic.
During key override, the number of the transmitted packet and the number of the received packet are reset to their initial values. Attack breaks PeerKey, group key and Fast BSS Transition (FT) handshake. An attacker has the ability to decrypt packets and inject malicious code into TCP streams.
The KRACK method is universal and works against any devices connected to a Wi-Fi network. That is, in addition to IoT devices, all users of Android, iOS, Windows, Linux, etc., are at risk.
PS Other materials from our blog:
Source: https://habr.com/ru/post/340938/
All Articles