The Reaper May Come to Haunt IoT Devices

If you thought Mirai was bad, you’re really going to fear the Reaper. That’s the word from security experts at Check Point Researchers who have discovered a new IoT botnet.

The botnet, which has been named IoTroop (by Check Point) or Reaper, (by Netlab 360) is growing and infecting IoT devices at a much faster pace than the infamous Mirai botnet credited with taking down half the internet.

[ Related: IoT Technologies: Developers Prefer Java, Worry About Security ]

The new IoT botnet was first discovered at the end of September. Unlike Mirai, which infected IoT devices using default or hard-coded user names and passwords, it evolves daily to exploit a variety of vulnerabilities in IoT-connected cameras made by GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. The attacks were found to be coming from other IoT devices.  Check Point estimates at least 1 million organizations have been infected.

Taking down the Internet with an IoT botnet 

“While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.” Checkpoint said in a blog post.

Security firm Netlab 360 said it is tracking multiple command and control servers (C2) for the IoT botnet and are finding over 10,000 unique and active bot IP addresses a day. The firm said there are also millions of device IPs being queued into the command and control system to be “processed” that is, infected with the malicious code that will add the devices to the bot net.

[ Related: Best Practices for IoT Security: Expert Spotlight ]

According to a post on their website, Netlab 360 says that it has so far determined the following:

• Number of vulnerable devices in one c2 queue waiting to be infected: over 2 million.
• Infected bots controlled by one C2 in last 7seven days: over 20,000.
• Number of daily active bots controlled by one C2: around 10k for one day (October 19).
• Number of simultaneous online bots controlled by one C2: around 4,000.

“Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance,” said the firm.