Reaper - Taking Over the Internet of Things, One Vulnerable Device at a Time
Ixia's Application and Threat Intelligence (ATI) team constantly monitors malicious activity on the Internet using a network of honeypots. During the last few weeks, we've noticed a steady increase in the number of exploits hitting our honeypots compared to the same period in the previous month.
While it might have been an odd sight given the normal circumstances, once we started to correlate the data with the research done by other cyber security experts in the field (see this 360 Netlab blog and this Checkpoint Research Publication), an interesting pattern starts to show up: the most significant increase has been noticed for the same kind of payloads that are delivered by Reaper.
What is Reaper?
While the Reaper malware is partly based on the Mirai source code, it is much more dangerous and efficient in spreading from one compromised IoT device to another. Reaper doesn't bruteforce for default SSH or telnet credentials like Mirai does. Instead, this new botnet is attacking IoT devices, especially DVRs and routers, by exploiting publicly disclosed vulnerabilities that have not yet been patched on these devices.
Fig 1: Ixia ATI honeypot activity for exploits used by Reaper
Activity on our network of honeypots represented in this chart shows how the number of hits/day evolved in the past few weeks for probes trying to exploit vulnerabilities used by Reaper.
It is worth noting that Reaper activity detected by our network of honeypots is significantly lower than what we saw during the Mirai botnet expansion in the past. While Reaper is theoretically more dangerous than Mirai due to its ability to exploit remote code execution vulnerabilities, in practice it is less effective, at least so far. This difference could be explained by the fact that the Mirai source code was public and multiple threat actors could leverage it, while in this case, we're most likely dealing with a single group or individual.
Exploit hits related to this particular threat have started to appear at the beginning of October 2017 and have reached their peak during the October 7 - 21 interval. This week, the Reaper botnet activity seems to have slowed down. Could this first wave of Reaper attacks be "the calm before the storm"? We will continue to monitor to see how this threat evolves.
The Geography of Reaper Victims
Reaper seems to have infected IoT devices from all around the world. Our honeypots are seeing most exploit attempts coming from IP addresses in 5 countries: United States (22%), Brazil (11%), South Korea (7%), China (7%), and Turkey (4%).
Fig 2: Geographic distribution of Reaper victims
IoT Vulnerabilities Exploited by Reaper
- /shell - JAWS DVR vulnerability
- /system.ini, /set_ftp.cgi - Multiple vulnerabilities in Wireless IP Camera (P2P) WIFICAM cameras
- /upgrade_handle.php - Netgear ReadyNAS Surveillance Unauthenticated RCE
- /setup.cgi - Unauthenticated command execution on Netgear DGN devices
- /apply.cgi - Multiple Vulnerabilities in Linksys E1500/E2500
- /command.php - Multiple Vulnerabilities in D'Link DIR-600 and DIR-300
- /board.cgi - Vacron NVR Remote Command Execution
- /hedwig.cgi - D-Link 850L Multiple Vulnerabilities
As this particular threat continues to evolve, we expect the Reaper malware authors to continue adding new vulnerabilities to their infection mechanism. This will allow the Reaper botnet to successfully target more types of devices in the future.
Automatic Exploiting is Becoming the Norm
A router is the critical piece of everybody's Internet experience, but unfortunately, nobody spends the time to actually maintain and update this piece of hardware. Old firmware, default passwords, and vulnerable libraries continue to haunt many organizations. Exploiting neglected platforms has become so popular and easy that many automated tools have been created that make this process a breeze.
Whether we like it or not, it's always just a matter of time until someone with bad intentions piles up together the most common router and DVR exploits and "autopwns" them for his own personal gain. With the rise of automated tools like RouterSploit or CherryBlossom, it's no surprise that malicious actors jumped on this bandwagon as well.
Keeping Your IoT Devices Safe
That being said, we should take the same care of our digital infrastructure and security as we do of our physical one. Keeping your router up to date should be a priority as high as locking your door when leaving the neighborhood and making sure that it stays shut.
Our main advice – update everything! It's not just your operating system and web browser that need updates. Internet-connected cameras or routers also need updates. Unfortunately, the updating mechanisms implemented in these devices are not necessarily "user-friendly". Most of the time, users’ don't even know there's a firmware update for their IoT device, unless they check the website of that specific vendor.
For more thorough advice on how to defend yourself and your organization against IoT threats, check our recent blog post, IoT Security – Strategies to Protect “Your Things” and “Networks”.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.