Attacks Escalating Against Linux-Based IoT Devices

Incidents of malware targeting Linux-based Internet of Things (IoT) devices jumped by more than a third in 2021, with three malware families the primary drivers behind the increase.

According to a report by CrowdStrike, there was a 35 percent year-over year growth in 2021 of malware targeting these devices, and the XorDDoS, Mirai and Mozi families were responsible for 22 percent of all Linux-based IoT malware. There was a 10-fold increase in the number of samples of Mozi found in the wild, Mihai Maganu, a threat researcher at CrowdStrike, wrote in a blog post.

The primary goal of all this malware is to compromise the devices and systems, pull them into a botnet and use them for distributed denial-of-services (DDoS) attacks, Maganu wrote. That echoes similar reports that have shown an increase in DDoS attacks worldwide. Kaspersky researchers last year found that such attacks increased by about a third year-over-year in the third quarter 2021.

Microsoft Azure last year said it was able to stave off a record DDoS attack against a European customer.

Also read: Top 8 DDoS Protection Service Providers for 2022

Threats to Open Source, IoT

CrowdStrike’s numbers highlight not only the threat to open-source technologiessee Log4j – but also from IoT devices, long a concern for enterprises as they become more connected and more intelligent.

Linux is widely used in web servers and cloud infrastructure, but the open-source software also is broadly adopted in mobile and IoT devices due to its scalability, performance and security. In addition, the broad array of distributions makes it easier to support multiple hardware designs.

However, with more than 30 billion IoT devices expected to be connected to the internet by 2026, attacks against them can have wide-ranging impacts.

“With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors,” he wrote. “For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running IoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity of critical internet services.”

Also read: Top IoT Security Solutions for 2022

A Fast-Growing Attack Surface

Bud Broomhead, CEO of cybersecurity vendor Viakoo, told eSecurity Planet that IoT devices are the largest and fastest-growing attack surface for most organizations and that they have more known vulnerabilities targeting them than traditional IT systems.

There is a litany of reasons for this, Broomhead said. Organizations can have as many as 100 times the number of IoT devices than other systems, agent-based vulnerability remediation solutions don’t work with them but older threat vectors like man-in-the-middle attacks do, and having so many vulnerable IoT devices enables huge botnet armies to be assembled and deployed.

There are other problems, too, including that many IoT devices are managed by line-of-business groups rather than IT and many use non-standard operating systems that traditional IT cybersecurity products don’t work with.

“IoT devices pose two fundamental threats,” he said. “The largest risk is that IoT systems – think water control or pipelines – could be controlled by a threat actor to cause physical damage, loss of life or enable terrorism. Vulnerable IoT devices also pose a threat that they can be used as entry into a network to then laterally move to sensitive corporate data or other systems. Because IoT devices are performing business-critical [and] mission-critical functions, shutting them off is not an option in many cases, making an exploit against them inherently higher risk than IT systems that can be taken offline.”

See also: EU to Force IoT, Wireless Device Makers to Improve Security

Mozi, XorDDoS and Mirai

Mozi is a peer-to-peer (P2P) botnet network that was first detected in 2019 and uses the distributed hash table (DHT) system. There is a distributed and decentralized lookup mechanism in DHT that makes it easy for Mozi to hide communications with a command-and-control (C2) server behind a lot of legitimate DHT traffic.

“The use of DHT is interesting because it allows Mozi to quickly grow a P2P network,” Maganu wrote. “And, because it uses an extension over DHT, it’s not correlated with normal traffic, so detecting the C2 communication becomes difficult. Mozi infects systems by brute-forcing SSH and Telnet ports. It then blocks those ports so that it is not overwritten by other malicious actors or malware.”

CrowdStrike in 2021 also saw a 123 percent year-over-year increase in samples of XorDDoS, a Trojan aimed at multiple Linux architectures, including those powered by x86 chips from Intel and AMD as well as Arm processors. The malware uses SSH brute-force attacks to gain remote control of devices and some variants allow bad actors to scan and search for Docker containers, he wrote.

Mirai, a Linux Trojan that has been around since 2016, is similar to Mozi in that it exploits weak protocols and passwords to compromise devices by using brute-force attacks. Its developer published the source code for Mirai, which ramped up the number of variants, including Sora, IZIH9 and Rekai. All told, identified samples of all three jumped in 2021 from 33 percent for Sora to 83 percent for Rekai.

CrowdStrike XorDDOS detection
CrowdStrike XorDDOS detection

Sensitive Data an Attractive Target

It’s not surprising that fast-growing IoT devices have become a popular target for threat actors, according to John Bambenek, principal threat hunter at cybersecurity vendor Netenrich.

“Anything that has sensitive data is an attractive target,” Bambenek told eSecurity Planet. “Criminals want to make money. Spies want to steal information. If valuable enough data was stored on a Commodore 64 to make it worth a criminal’s while, they’ll drop a zero-day on that, too. The problem with IoT devices is they have all the functionality of a Linux machine with no ability to put any protection on it.”

Many require firmware updates rather than use such tools as yum or apt for patching, adding that users can’t deploy endpoint protection on most of them.

“IoT devices have made botnets great again,” Bambenek said.

They also can be an avenue into an enterprise’s network and data, he said. In particular, IoT devices that process sensitive information, such as point-of-sale (POS) devices and medical equipment, can be exploited to steal and exfiltrate data.

IoT Protection Steps

Viakoo’s Broomhead said there are three key steps organizations can take to protect themselves from the threat posed by vulnerable IoT devices, including having a complete inventory of IT assets and remediating them for vulnerabilities. In addition, he recommended implementing an automated IoT vulnerability remediation solution to perform security fixes as soon as possible and extending a zero trust initiative to include IoT hardware.

Bambenek first suggestion is to forcefully throw away – to “yeet” – the IoT devices.

“If an organization cannot yeet their unmanaged IoT devices into the abyss, they should put them on isolated network segments and use strong network security tools and IPS to protect those devices and to identify abnormal behavior from them,” he said.

Further reading: Best Patch Management Software for 2022

Jeff Burt
Jeffrey Burt has been a journalist for more than three decades, the last 20-plus years covering technology. During more than 16 years with eWEEK, he covered everything from data center infrastructure and collaboration technology to AI, cloud, quantum computing and cybersecurity. A freelance journalist since 2017, his articles have appeared on such sites as eWEEK, eSecurity Planet, Enterprise Networking Planet, Enterprise Storage Forum, The Next Platform, ITPro Today, Channel Futures, Channelnomics, SecurityNow, and Data Breach Today.

Top Products

Related articles