Key Judgements

• The first attack occurred on January 28, 2018 at 1830 UTC. A second financial sector company experienced a DDoS attack the same day and time, likely utilizing the same botnet. A third financial sector company experienced a similar DDoS attack a few hours later at 2100 UTC the same day.
• The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s. We do not have enough information to determine the volume of the subsequent two attacks.
• If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks.
• We identified at least seven IP addresses that we assess are controllers for the botnet that were likely engaged in attack coordination and scanning of new botnet infrastructure.

Executive Summary

Insikt Group estime qu'une variante du botnet Mirai, probablement liée aux botnets IoTroop ou Reaper, a été utilisée dans des attaques visant au moins une entreprise, et probablement plusieurs, du secteur financier fin janvier 2018. Cette évaluation repose sur des métadonnées provenant de tiers et sur des renseignements open source existants. IoTroop est un puissant botnet IoT (Internet des objets) principalement composé de routeurs domestiques, de téléviseurs, d'enregistreurs numériques et de caméras IP compromis, qui exploite les vulnérabilités de produits de grands fournisseurs tels que MikroTik, Ubiquity et GoAhead. C'est la première fois que nous observons un botnet IoT utilisé dans une attaque DDoS depuis Mirai, et il s'agit peut-être de la première fois que IoTroop est utilisé pour cibler des victimes depuis son identification initiale l'année dernière.

Background

En octobre 2017, des chercheurs ont identifié un nouveau botnet nommé IoTroop, composé d'appareils IoT tels que des routeurs et des caméras IP sans fil, fabriqués par des entreprises telles que TP-Link, Avtech, MikroTik, Linksys, Synology et GoAhead. IoTroop était unique en ce sens que le logiciel malveillant utilisé pour propager le botnet, également appelé Reaper, « avaitété conçu à l'aide d' un moteur Lua flexible et de scripts, ce qui signifie qu'au lieu d'être limité aux attaques statiques et préprogrammées des exploits précédents, son code pouvait être facilement mis à jour à la volée, permettant ainsi à des botnets massifs sur place de lancer de nouvelles attaques plus malveillantes dès qu'elles étaient disponibles ».

Le logiciel malveillant IoTroop peut exploiter au moins une douzaine de vulnérabilités et peut être mis à jour par les attaquants à mesure que de nouvelles vulnérabilités sont découvertes. Veuillez consulter l'annexe pour obtenir la liste complète des fournisseurs, technologies et vulnérabilités observés dans le botnet utilisé pour ces attaques et dans le botnet IoTroop.

En février 2018, la police néerlandaise a arrêté un jeune homme de 18 ans soupçonné d'avoir lancé des attaques DDoS contre plusieurs entités néerlandaises, notamment le site technologique Tweakers et le fournisseur d'accès Internet Tweak. Il existe des spéculations selon lesquelles cet homme serait également responsable des attaques DDoS contre des institutions financières que nous avons observées, mais ce lien n'a pas été confirmé par la police.

L'individu arrêté semble avoir loué le botnet pour l'utiliser dans les attaques de septembre sous le couvert d'acheter un « stresser », ou test de résistance du réseau. Si cet individu est également responsable des attaques observées en janvier, il est probable qu'il ait également loué ce botnet IoT dérivé de Mirai pour mener ces attaques. Au moment de la publication, nous ne savons pas qui est à l'origine de la compilation de ce botnet ni qui a exécuté les attaques que nous avons observées en janvier 2018.

Threat Analysis

First Financial Sector Company Targeted

The botnet targeted the first financial sector company using at least 13,000 devices, each with a unique IP address, and generated traffic volumes up to 30Gb/s. Insikt Group used IP geolocation, service banners from Shodan, and additional metadata to analyze the composition of the botnet. Candidate controllers, or bot masters, were shortlisted based on the frequency and the number of distinct botnet clients with which they were in communication. Further anomalous activity was noted based on unusual port usage.

Our analysis shows that the botnet involved in the first company attack was 80 percent comprised of compromised MikroTik routers, with the remaining 20 percent composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL. We also discovered webcams, TVs, and DVRs among the 20 percent of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link, and Dahua.

Recorded Future timeline of MicroTik router vulnerabilities and exploits since the discovery of the IoTroop botnet.

La propagation d'appareils provenant de différents fabricants suggère l'existence d'un botnet très répandu et en pleine évolution, qui semble exploiter les vulnérabilités rendues publiques dans de nombreux appareils IoT. Bien que de nombreux fournisseurs et appareils IoT figuraient dans l'étude publiée en octobre 2017, bon nombre d'appareils tels que les enregistreurs vidéo numériques Dahua, les téléviseurs Samsung UE55D7000 et les appareils basés sur Contiki n'étaient pas connus auparavant pour être vulnérables aux logiciels malveillants Reaper/IoTroop.

Recorded Future timeline of the spread of IoT botnets and malware since the September 2016 Mirai attacks.

Tous les appareils MikroTik compromis avaient le port TCP 2000 ouvert, qui est généralement réservé au protocole du serveur de test de bande passante de MikroTik. Ce port est généralement activé par défaut sur les nouveaux appareils MikroTik. Aucun appareil MikroTik avec TCP 2000 désactivé (une mesure de sécurité recommandée dans les environnements de production) n'a été détecté au sein du botnet.

Below is a graphic of the geographic breakdown for the botnet:

Global distribution of IoT botnet clients targeting financial services sector, January 2018 (via Microsoft Excel).

As the graphic shows, the geographic spread of the botnet clients was heavily skewed toward Russia, Brazil, and Ukraine. This is likely to just be a reflection of the popularity of MikroTik’s devices in those countries, rather than anything specific relating to the botnet configuration. In total, there were 139 different countries represented in the data, demonstrating a widespread targeting of vulnerable IoT devices around the world. This distribution differed from the original Mirai botnet, where Brazil was the only country that appeared in the top five botnet client lists for both botnets.

We discovered a number of IPs that we believe are command and control servers (or “controllers”) for the botnet and created a Recorded Future Threat List to enable customers to track these controllers. Please reach out to your intelligence services representative for access.

The following IP addresses are candidates for botnet controllers. While volume alone is an indicator for a controller, the below IPs are ones we have additional confidence in based on further data.

98.95.228.104: 34 percent of all activity we observed targeting the first financial sector company included UDP DNS requests to or from this IP.

71.68.32.251: Similarly, we observed a large amount of activity to or from the first company to this IP.

213.160.168.18: We observed no specific threat data on this IP, but it is part of a /24 range that has historically been linked to malware deployment and suspect proxies.

84.47.111.62: This is likely a top controller, based on volume and pattern analysis.

The next two IPs are both Slovakian. Both have slightly elevated Recorded Future risk scores because they triggered the predictive risk model.

87.197.166.13 and 87.197.108.40: We observed large amounts of data exchanged between these two IPs and a couple of the controllers. We believe these could be primary controllers, or at a minimum, one hop closer to source.

62.204.238.82: This IP was one of the 13,000 IPs originally involved in the DDoS attack. It resolves to the Czech Republic, and accounts for almost three percent of the traffic generated from our metadata analysis. During the researched window, we observed this IP make repeated connections to three suspected Internet Relay Chat (IRC) servers in France (149.202.42.174, 51.255.34.80, 5.196.26.96). All three of these suspected IRC servers triggered Recorded Future’s predictive risk model.

Second Financial Sector Company Targeted

Additionally, we determined that a second financial sector company was also targeted by a DDoS attack during the same weekend of January 27 to January 28, 2018. We believe this attack was conducted using the same Mirai-variant IoT botnet because of an overlap in the use of botnet infrastructure and the timing of the attacks.

During the course of our analysis, we uncovered evidence that the second company had likely been targeted by the same Mirai-variant IoT botnet on the same day. Further analysis identified that IP address from the second company communicated with 26 unique IP addresses, of which 19 had been involved in the attack against the first financial sector company.

Third Financial Sector Company Targeted

We also discovered that on January 28, 2018, only a few hours later at approximately 2100 UTC, a third financial sector company’s network experienced very high data volumes of TCP 443 events. While technical details of this activity are not currently available to compare with the original DDoS, the close temporal proximity of these events suggests a possible connection.

Outlook

These attacks highlight the ongoing threat of DDoS to the financial sector from continuously evolving botnets. The similarity in device composition with the IoTroop/Reaper botnet suggest IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector.

As more data comes to light on the continued targeting of financial institutions from IoTroop, it will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks.

Recorded Future customers are advised to subscribe to the published Threat List of botnet controllers to track malicious activity. These controllers are likely to be engaged in aggressive scanning for new vulnerable IoT infrastructure to commandeer as well as be responsible for any denial of service attack commands issued to the botnet clients.

We also recommend that users of IoT devices take the following simple measures to mitigate the risk of their devices being commandeered by an IoT botnet:

• Always replace default manufacturer passwords immediately upon use.
• Keep the firmware for devices current and up to date.
• For IP camera and similar systems that require remote access, invest in a VPN.
• Disable unnecessary services (e.g., Telnet) and close ports that are not required for the IoT device.