IoT botnet attacks on the rise: practical tips for minimising risk

10. August, 2022

IoT botnets are gaining momentum, driven by external factors. Nozomi Networks Labs’ latest OT/IoT Security Report cites the surge in IoT botnets as one of three key developments in the first half of 2022. Together with impacts from the Ukraine war and the rise of wiper malware designed to destroy data and systems, they dominate the current threat landscape. [1]

What makes IoT systems attractive for attackers

It is becoming increasingly interesting for cybercriminals to specialise purely in IoT systems. Cameras, sensors or control and monitoring systems are often installed in large numbers and then not given any further attention. Thus, IoT systems usually have little protection, while they are online 24 hours a day and typically have a very good internet connection.

IoT systems often base on a stripped-down Linux operating system that offers little scope for security functions. Combined with cheap off-the-shelf components from additional suppliers and possible cost and implementation pressure from the manufacturer, simple security problems can thus spread by the millions.

Why there are more and more IoT botnets

Practice shows a lack of security-by-design and quality control of implementations, standard passwords in real operation and even keys written in the programme code. One current example: A GPS tracker component that is used a million times can be hijacked via a standard password and enables attackers to switch off the engine locally in a vehicle. [2] Incidentally, “admin” and “root” are among the most frequently used user information to gain access to foreign systems.

Microsoft has also investigated the functioning of the IoT botnet “Trickbot” in more detail and summarised findings about the attack vectors and general functioning. [3] Just like Nozomi, Microsoft observed a targeted search for typical infrastructure components used millions of times with factory settings or simply bad and frequently used passwords. Once identified, attackers take these components over in order to abuse them for their own communication purposes. Weak authentication and access control are the preferred and currently also the easiest point of attack on IoT systems.

How to prevent IoT botnets

The good news: You can secure the most common points of attack with a few simple measures that build on each other. This way, you noticeably reduce the security risk even in already deployed devices and IoT systems.

  • Password policy: Immediately change all default passwords on all systems without exception to secure combinations. Delete pre-set manufacturer accounts and check existing users to no longer allow backdoors.
  • Account-Policy: Use only unique user credentials and do not use the same accounts on different devices. Individual login data per user via exclusively encrypted connections is optimal.
  • Authentication: Use a central authentication facility (AAA server) and monitor all login attempts as well as new user creation. These analyses can provide indications of malware activities.
  • Automation: Especially if you have several IoT systems in operation, it is worth automating the inventory and monitoring of your IT/OT systems. This way you can detect vulnerabilities, threats and anomalies as quickly as possible.

CONCLUSION: As security solutions for traditional computers continue to evolve and improve, cyber criminals are looking for alternative ways to penetrate target networks. Attack attempts on routers, cameras and other IoT devices are therefore not new.

Since these IoT devices and networks are often not actively managed and monitored, they are usually the weakest link in the entire IT system. Both companies and home users should definitely consider IoT devices in their security policies and change all default passwords immediately as a first step.

For companies with extensive IoT landscapes, professional solutions for monitoring, protection and risk minimisation are available from the field of industrial cyber security.

Product recommendation:

Nozomi Guardian powered by IKARUS

Reading recommendation:

Honeypots: Researchers analyse attacks on IoT systems
Loophole into the home network: tips to better secure Smart Home devices

Sources:

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download