July 26, 2017, 2:46 am
Facebook iconTwitter iconYouTube iconGoogle+ icon

Hunting for IoT devices to be used for massive botnet

THE miso soup came just in time.

It calmed the inner shivers after David Holmes, F5 Networks’ Senior Marketing Manager of Global Security showed me a map of scans and loads on Internet of Things (IoT) devices all over Asia. As we exchange geeky notes on what could have been happening on the shores of China.

“What do you think is happening here?” David quizzed me pointing to Russia

“I think it has to do with the number of endemic China-made phones going around,” I gave my best educated guess, theorizing that it is not impossible for smartphones to have malware embedded in the manufacture. After all, it has been done before with devices like modems and WiFi cameras.

“That’s a thought,” Holmes said as he seemed to have scribbled the idea in his notebook.

Holmes is soldered-on-the-board information security expert who has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. He traces his roots to Cavite and Laguna but has not visited the country until recently.

He has a regular column at SecurityWeek Magazine and also contributes to the industry publications DarkReading, Wired Online, SCMagazine, and Network World.

“Someone is making a massive bot the size of the Death Star,” Holmes joked as he seriously tackled the issue of IoT devices that can either be impregnated with malware code from the start of be infected through communications over the Internet.

“It is entirely possible that the massive increase in scanning activities of IoT happening globally is an indication of how cybercriminals operating on this front,” emphasizes Holmes.

But just how in the world do Death Star-sized botnets come about? 

The scanning activities done by cyber criminals can be monitored from the distance, and indications like a massive annual increase in activities regions known for such nefarious cyber activities.F5 Labs determined the annual growth rate to be 1,373 percent, with a clear spike in the fourth quarter, which is 1.5 times the combined volume in Q1 through Q3. 

This isn’t surprising, given the timing of the Mirai botnet. But Holmes does not want to speculate. This is because cyber attackers don’t possess such immense power on their own. They need to commandeer it and patch it together. That means the unending hunt for vulnerable IoT devices that they can penetrate, compromise and use for their evil intentions.

“You can speculate all you want about how it goes, but it only shows the something big is going to happen.”

In October 2016 the Mirai IoT Botnet Attack sent shockwaves over the digital space–it was totally unexpected but nevertheless pernicious. F5 Labs team dissected the initial massive Mirai botnet attack and warned of the potential of future attacks. And as predicted Mirai continued to wreak havoc and take advantage of vulnerable IoT devices.

Holmes wrote “Making Sense of the Last Month of DDoS Attacks” referring to Distributed Denial of Service (DDos) attacks on several companies abroad. In that piece Holmes made suggested ways to thwart attacks and provided guidance to avoid being compromised. And despite many countermeasures F5 Labs and its data partner, Loryka1, have been monitoring the hunt for IoT attacks for a year now. A report called DDoS’s Newest Minions: IoT Devices, proved what many security experts had long suspected: IoT devices were not only vulnerable, they were already being heavily exploited to pull off large, distributed denial-of-service (DDoS) attacks.

Many infosec analysts first thought of this as impossible. The small brains used by IoT devices seemed to me ameobic compared to the functions needed to create any damage. But combining the power of many vulnerable devices can create a bot destructive enough.

While the number of participating networks in the second half of 2016 stayed relatively flat at 10 percent the number of unique IP addresses participating within those networks grew at a rate of 74 percent. Clearly, threat actors within the same networks have increased their activity.

So, who exactly is involved in the IoT hunt? 

Holmes shared with me the salient points of the report. 

“Why does it not come as a surprise to me that networks in China were on the top of the  list?” I asked Holmes. Primarily state-owned telecom companies and ISPs in China headlined the threat actor list, accounting for 44 percent of all attacks in the thrid quarter and 21 percent in last three months of 2016.

Trailing behind China were Vietnam and the US. Then Russia and the UK in the fourth quarter. The report also outlined that the UK surprisingly jumped to third place in the 4th quarter with most activity coming from an online gaming network.

“China because of the sheer size of the network there, the number of devices, providers and IoT connections make it very appetizing to cyber criminals,” said Oscar Visaya, F5 Networks Country Manager for the Philippines, answering my earlier question.

David is more optimistic than pessimistic about the the whole IoT as attack front issue.

“It is an opportunity to start making strong IoT devices and systems that are resilient to attacks,”he said pointing to the fact that end up the Internet of Things is not an end-user problem because the bulk of the devices are used by governments, enterprises, and in manufacturing.

What can concerned enterprises do to deal with the IoT threat? 

Here are five solutions from F5 Networks.

1.    Have a DDoS strategy that can support attack sizes beyond your network capacity.

2.    Ensure all of your critical services have redundancy, even those you outsource.

3.    Put pressure on IoT manufacturers to secure their products, and don’t buy products that are known to be insecure or compromised.

4.    Share your knowledge—about vulnerable devices, attacks and threat actors, successful mitigation efforts, and potential solutions—with other security professionals.

Since joining F5 in 2001, Holmes has helped design system and core security features of F5’s Traffic Management Operating System (TMOS) with four patents pending. Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. Holmes has over 25 years of experience in security and product engineering and has contributed to security-related open source software projects such as OpenSSL and ssldump. Follow him on Twitter @dholmesf5.

As the recognized leader in Application Delivery Networking, F5 Networks aligns performance, flexibility, and security, to enable apps to move businesses forward, making their people more productive and creates a better experience for their customers. With this, F5 has covered the security gap without compromising speed or performance aligning performance, flexibility and security to enable constantly innovative business strategies. As a result, no company knows applications like F5.

According to Gartner’s Magic Quadrant, F5 is known as a Leader for Application Delivery Controllers for the 10th consecutive year, and for SSL VPN market. F5 was also awarded Leader in Web Application Firewall (WAF) market in Asia Pacific and Japan by Frost IQ. 
No votes yet

Column of the Day

Wyoming, we want our bells back!

By DAHLI ASPILLERA | July 26,2017
‘I uphold and stand for the entirety of President Duterte’s SONA... Also for his demand for the return of the Balangiga Bells whose fate I wrote about 22 years ago.’

Opinion of the Day


By DODY LACUNA | July 26, 2017
‘The possible assassination of the very popular Duterte by the CPP/NPA would likely lead to an intense civil unrest, with the military suddenly cracking down on leftist groups, the opposition and the media.’