Malware Samples Targeting Internet of Things Devices Soar

Internet of ThingsThere was a dramatic rise in malware samples targeting Internet of Things devices, according to a new report by Kaspersky Lab.

In fact, the security firm found three times as many malware samples in the first half of 2018 as in all of 2017. Last year, there were ten times more malware samples targeting Internet of Things devices than in 2016. “That doesn’t bode well for the years ahead,” the researchers observed.

Kaspersky Lab set up honeypots to catch cybercriminals in the act. What it found was that that one of the most popular attack and infection vector was cracking Telnet passwords.

Surprisingly, Brazil was the top country from which Telnet password attacks originated. Perennial favorite Russia only finished fourth, behind China and Japan. Better luck next time, Vlad.

Once the criminals crack the Telnet password, their favorite malware to download is Mirai.

For the first six months of 2018, the Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses. Malware was downloaded from 27,693 unique IP addresses.

Reaper Botnet Infects Internet of Things

An alternative vector to Telnet password cracking is the Reaper botnet. Its assets at end-2017 numbered about two million Internet of Things devices. Instead of targeting Telnet passwords, this botnet attacks known software vulnerabilities.

With the Reaper botnet, infections occur faster. And it is much harder to patch a software vulnerability than change a password.

“Although this method is more difficult to implement, it found favor with many virus writers,” the researchers wrote.

Infected devices that attacked Kaspersky’s honeypots included MikroTik, TP-Link, SonicWall, AV tech, Vigor, Ubiquiti, D-Link, Cisco, AirTies, Cyberroam, HikVision, ZTE, and Miele.

“Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks,” the researchers concluded.

Adobe Flash Is Bane of IT Security Professionals’ Existence

computer vulnerabilityAdobe Flash has been the bane of IT security pros for years. Adobe has tried to keep ahead of Flash vulnerabilities by getting patches out in timely manner. Unfortunately, Flash security problems continue.

One example is a Flash zero-day exploit uncovered by Kaspersky Lab that enables attackers to deliver FinSpy malware disguised in a Microsoft Office document.

The FinSpy malware and other FinFisher products are made by Gamma International and sold to governments and other law enforcement agencies to conduct surveillance. The latest version includes added anti-analysis techniques that make it hard to analyze the malware.

Kaspersky suspects that the attackers are part of the BlackOasis cyberattack group because of similarities in this most recent payload with other attacks carried out by the group. Kaspersky also suspects that another FinSpy attack uncovered by FireEye in September is the work of BlackOasis because the attackers used the same command and control server.

The security firm explained that the Flash exploit is a memory corruption vulnerability enabling attackers to gain arbitrary read/write operations within memory.

BlackOasis targets include people involved in Middle Eastern politics, including UN officials, opposition activities, and regional news correspondents.

“We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies,” Kaspersky researchers wrote in a SecureList blog post.

“One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace,” they noted.

“We believe the number of attacks relying on FinFisher software, supported by zero-day exploits such as the ones described here will continue to grow,” they concluded.

The Kaspersky researchers advised organizations to disable Flash, although this may difficult to do and disable applications that rely on Flash, and to deploy a multi-layered approach to security, including strict access policies, anti-virus software, network monitoring, and application whitelisting.

Kaspersky informed Adobe about the Flash exploit, and the company released a patch.