The Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) hosted an Engagement Series webinar this past spring instructed by Shoko Nakai with the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). The  M3AAWG member-only session, Internet of Things (IoT) Devices Leveraged in Cyber Attacks and How Botnets are Created and Used: Findings through JPCERT/CC's Coordination, covered the continued use of malware in exploiting routers, security cameras, DVRs, and other devices belonging to the IoT.

Shoko described the current situation involving Mirai, GobRAT, and various other types of malware infecting IoT devices. The presentation provided a review of actual incident cases and discussed ways to address ever-expanding botnets in the future.

TSUBAME, an Internet threat monitoring system operated by JPCERT/CC, consistently shows the usage of variants of Mirai and other types of malware since Mirai first appeared several years ago. Daily incident reports from Internet Service Providers (ISPs) and Internet users identify malware-infected routers, security cameras, DVRs, and other devices.

JPCERT/CC conducts assessments, investigations, and coordinated response to these incidents. 

To infect IoT devices with such malware, attackers first compromise them, targeting the Web-UI authentication with its default setting or bypassing authentication by exploiting other vulnerabilities. Then, the attacker injects the malware into the device. In some cases, attackers also exploit Dynamic Domain Name System (DDNS) services for IoT devices.

When businesses use IoT devices for security reasons, such as surveillance cameras, they need to enable DDNS service to remotely monitor and check the status of the devices. In such cases, attackers may compromise the DDNS service setting and make the devices connect to a server managed by them.

JPCERT/CC has also found cases where manufacturers fail to manage the domain names designated for their DDNS services due to the discontinuation of their businesses. In these cases, attackers may hijack the domains.

Shoko described the challenges in the IoT ecosystem and its associated products, most notably the number of stakeholders. Stakeholders include ISPs, product distributors, vendors, and product end-users. Each stakeholder has their own unique problems. ISPs need to know what devices are vulnerable and if those devices exist on their networks. Product end-users lack both information and skills to combat the problem.

Incident response requires stakeholders to receive information and remedies that are tailored to the scope of their engagement with the IoT. Incident response centers, like JPCERT/CC, are vital to coordinating these actions.

M3AAWG hosts several Engagement Series throughout the year that provide members engagement opportunities in our community’s fight against online abuse. These webinars are free for member organizations. More information and access to recordings of previous Engagement Series may be found on the Members-Only portion of the website under the M3AAWG Engagement Series page.