0925 GMT October 15, 2019
The company’s “Attack Landscape H1 2019” measured a three-fold increase in attack traffic to more than 2.9 billion events, Forbes magazine reported.
The company uses honeypots — decoy servers around the world disguised as everyday operational hardware to attract everyday attacks — and this is the first time that attacks on those honeypots “has ever hit the billion mark.”
The researchers put this increase in attacks down to the increase in the numbers of IoT devices being deployed around the world. In recent months, we have seen multiple warnings on the vulnerability of such devices to attack. This is part due to a basic lack of defenses in ageing firmware or architectures, and part down to a lack of InfoSec housekeeping. Often IT departments are not even aware of all these devices on their networks, making the task of patching security issues near impossible.
“From millions to billions,” F-Secure leads out its introduction, neatly summarizing the issue.
We have also seen an improved understanding of some of the risks that such devices introduce into homes and workplaces. Again, sometimes it is an attack on the device itself — remember that this includes medical and control devices which contain valuable data in themselves. But the greater risk is the use of these endpoints as soft access points into wider networks. Attacking an unpatched printer or VoIP phone to access a seemingly secure network is clever and dangerous. And such attacks are now firmly in the playbook of grown-up nation-state threat actors around the world.
The Telnet protocol attracted “the largest share of attack traffic — 760 million events,” up almost 30 percent since the last report. Another IoT protocol, Universal Plug and Play (UPnP), was not too far behind, with 611 million events. Given this IoT focus, it was no surprise then, the researchers explained, “That malware found in the honeypots was dominated by various versions of Mirai, which infects IoT devices that use default credentials and coopts those devices into botnets that conduct DDoS (Distributed Denial of Service) attacks.”
The biggest culprits for the origination of attack traffic were China and Russia, unsurprisingly, as well as the US and Germany. The US also topped the target list, followed by a number of European nation-states.
F-Secure acknowledged that improvements to its honeypots and their deployments would have accounted for some of the increase, “but there’s also no doubt that attack traffic is also simply on the increase.” The researchers cited IoT growth as well as the continuing “prevalence of Eternal Blue” for this.”
Unsurprisingly, the team also concluded that “99.9 percent of traffic to our honeypots is automated,” meaning bots and scripts and malware designed to attack at scale.
“Attacks may come from any sort of connected computing device — a traditional computer, malware-infected smartwatch or IoT toothbrush can be a source.”
What has been interesting in the exploitation of mass IoT endpoint vulnerability has been its use by tier-1 threat actors. That won’t show up in any headline attack numbers, but by value and impact those attacks will top the list.
Mitigation advice is as obvious as it is difficult — “know what devices and servers you have and why they’re needed. Retire old assets that aren’t necessary.” The challenge, is that IoT devices by their nature can be “fire and forget,” not carrying the same security inventory asset tracking rules and regulations within organizations as other — more obviously vulnerable — assets.
If you do know where all these devices happen to be, clearly keep them patched at all times. They are becoming the most vulnerable access point into home and business networks. Beyond that, the advice reflects the other major finding in recent reports — almost all attacks now start with a person taking an action—clicking or installing. Credential theft or malware loading is the opening needed to map an attack.
“Every half year it’s a different story,” F-Secure warns, “this time it’s the rampant exploitation of IoT devices via Telnet and UPnP” and “China’s domination of traffic,” as well as more targeted threats from the likes of ransomware and crypto mining.