Reaper Botnet Leverages Millions of Vulnerable IoT Devices

Researchers at Check Point and Qihoo 360 recently came across a fast-growing IoT botnet, which the Qihoo researchers are calling the botnet IoT_reaper. Reaper borrows some code from the Mirai botnet, with one key difference: it doesn’t try to crack weak passwords — it simply exploits IoT device vulnerabilities.

The Qihoo researchers say they’re tracking multiple command and control (C2) servers for the botnet, just one of which is leveraging more than 10,000 active bot IP addresses per day.

At the same time, they note, “there are millions of potential vulnerable device IPs being queued into the C2 system waiting to be processed by an automatic loader than injects malicious code to the devices to expand the size of the botnet.”

While the botnet currently targets nine IoT device vulnerabilities, the attackers behind the botnet appear to be adding new exploits on a regular basis.

The Check Point researchers call the new botnet IoTroop, and warn that while it may have a connection to the Mirai botnet, it’s an entirely new and far more sophisticated threat.

“So far we estimate over a million organizations have already been affected worldwide, including the U.S., Australia and everywhere in between, and the number is only growing,” the researchers wrote.

Targeting the Weakest Link

Balbix CEO and founder Gaurav Banga told eSecurity Planet by email that he frequently sees these types of vulnerabilities in its enterprise customers. “IoT devices of all types, particularly security cameras, are wide open and vulnerable,” he said.

“CISOs and security teams are so slammed with implementing a good security posture for traditional servers and managed end user clients that opaque devices are often left behind,” Banga added. “Since the adversary will often look for the weakest link, these second-class devices of the enterprise become an opportunistic target.”

Paul Martini, CEO and co-founder of iboss, said by email that Reaper is already capable of launching a massive DDoS attack at any moment, and that enterprises need to respond by patching their devices and monitoring their networks for suspicious activity.

“Outside of your own devices, now is the time to double check your DDoS defenses,” Martini added. “Whoever created Reaper has an end goal in mind, and it won’t be long until we see what they have planned next.”

NexusGuard’s Q2 2017 DDoS Threat Report recently noted that UDP (user datagram protocol) flood attacks were the most common DDoS attack method during the quarter, surging 168 percent over Q4 2016 — and suggested that the growth of IoT botnets may well be response for that increase.

“Owing to their lightweight nature, most [IoT devices] are currently capable of only generating plain-vanilla UDP flood attacks,” the report states. “But as IoT devices continue to advance, it is believed that botnet-driven DDoS attacks will soon grow significantly in size and in frequency.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles