2022 IoT Threat Review | FortiGuard Labs
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial of Service (DDoS) attacks.
These malware campaigns primarily brute force Telnet and SSH credentials to gain access to IoT devices and then execute their bot binaries. In 2022, a total of over 20 million successful brute force attacks were recorded by our system. Figure 1 shows the number of successful brute force attacks against our honeypots by month.
Figure 1: Attack volume by month
Based on 121,799 unique attacker IPs observed in 2022, see a breakdown of where IPs were hosted by country (Figure 2).
Figure 2: Attacker IPs by country
In terms of attack volume, see a breakdown of where the majority originate from based on where servers are hosted (Figure 3).
Figure 3: Attack volume by country
Aside from brute forcing credentials to infect devices, IoT malware also takes advantage of vulnerabilities to spread, such as in the Beastmode Mirai campaign we discussed in April. Our monitoring system identifies possible exploitation requests being used by malware samples. From over a hundred vulnerabilities targeted by IoT malware samples that were captured last year, we primarily observed attempts to exploit CVE-2017-17215, an old Remote Code Execution (RCE) vulnerability targeting Huawei HG532 routers. In fact, over 30% of the malware samples containing embedded exploits target this vulnerability (Figure 4).
Figure 4: Top vulnerabilities targeted
In terms of the actual volume of attacks in the wild, based on 30-day Fortinet IPS telemetry, we can see that the IPS signature Huawei.HG532.Remote.Code.Execution detected efforts to exploit CVE-2017-17215. We captured an average of 80,000 daily detections, peaking at 160,000.
Figure 5: Huawei.HG532.Remote.Code.Execution (CVE-2017-17215) 30-day Daily Detection Count
We also found the following CVEs from 2022 being targeted:
- CVE-2022-26186 (TOTOLINK Routers RCE)
- CVE-2022-26210 (TOTOLINK Routers RCE)
- CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 (TOTOLINK Routers RCE)
- CVE-2022-22947 (Spring Cloud Gateway RCE)
- CVE-2022- 29013 (Razer Sila Gaming Router RCE)
- CVE-2022-1388 (F5 BIG-IP iControl RCE)
- CVE-2022-22954 (VMware Workspace ONE Access RCE)
- CVE-2022-23377 (Archeevo LFI)
- WordPress cab-fare-calculator plugin 1.0.3 (LFI)
- WordPress video-synchro-pdf plugin 1.7.4 (LFI)
It is important to note that although there were attempts to target Local File Inclusion (LFI) vulnerabilities, they were not properly implemented to successfully exploit them.
The most actively exploited vulnerability from the list above is the CVE-2022-22954. It targeted VMware Workspace ONE Access. The VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution IPS signature recorded an average of 80,000 daily detections based on a 30-day Fortinet IPS telemetry. Our post from October noted that this vulnerability is also a hot target for other non-IoT malware campaigns.
Figure 6: VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution (CVE-2022-22954) 30-day Daily Detection Count
We also observed that the F5 BIG-IP iControl CVE-2022-1388 (F5.BIG-IP.iControl.REST.Authentication.Bypass) was another popular vulnerability, experiencing a daily average of 25,000 hits, peaking at 50,000.
Figure 7: F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388) 30-day Daily Detection Count
Figure 8: Top architecture
Based on our research, the majority of IoT malware is built to run on an ARM 32-bit architecture— comprising almost three-quarters of all samples captured (Figure 8). The “script file” label is for plaintext Bash scripts with the purpose of downloading and installing the payload binary after brute forcing or exploitation.
Top Malware Families
Figure 9 shows the most common malware families detected by our systems, grouped by month. Mirai and Gafgyt variants are predominant, with Kyton, a Gafgyt/Mirai hybrid, being one of the most heavily distributed families in terms of volume. Being a Gafgyt/Mirai hybrid, Kyton reuses code from other Mirai variants to exploit CVE-2017-17215 (Huawei Router HG532), JAWS Webserver RCE, or CVE-2014-8361 (Realtek SDK). Samples tagged as _unknown on the graph (Figure 9) are malware yet to be linked to any known malware campaigns. They could be fresh botnets infecting our honeypots.
Figure 9: Top IoT malware families by month
As shown in the Figure 9 statistics, while most of the active IoT botnets last year were based on Mirai and Gafgyt, there were several campaigns that stood out from the crowd.
In mid-March, for example, we encountered Enemybot, which at the time was the latest botnet campaign from the threat group Keksec. It was a hybrid of Gafgyt and Mirai and was using the TOR network to mask its real Command and Control (C2) servers.
RapperBot is a DDoS botnet that we encountered in mid-June. This malware is interesting because it was using an embedded SSH client to spread and because we observed unusual changes to its variants that made us question its primary motivation. In October 2022, we observed a new campaign from potentially the same threat actors targeting servers for popular games.
Lastly, Zerobot is a DDoS botnet written in the Go programming language (also known as Golang) that FortiGuard Labs first encountered in November 2022. It utilizes both old and recent vulnerabilities to spread, and uses WebSockets to communicate with its C2 servers.
The Rise of Golang IoT malware
Another trend that we saw with IoT botnets was the rise of samples written in Golang despite its compiled binaries having relatively much larger file sizes. A Golang ELF binary executable can easily be above 4MB in size, whereas normal Mirai and Gafgyt binaries fall below 300KB. For this reason, some campaigns use the UPX packer to help reduce the file size.
Up through October 2022, one of the C2 servers (176[.]65[.]137[.]5) listed in our Zerobot report historically distributed the Mirai-based SORA variant. It then switched to distributing Zerobot the month after. For example, hxxp://176[.]65[.]137[.]5/bins/zero[.]x86 served a UPX-packed SORA binary in October 2022 (Figure 10), but similar URLs with the zero.arch filename were later seen distributing Zerobot instead. The switch from distributing SORA to Zerobot, but using the same campaign filename is interesting as these families do not share a common C2 protocol. The intent behind the switch remains unclear.
Figure 10: file zero.x86 downloaded from ZeroBot C2 vis-à-vis SORA sample
Apart from Zerobot, we are also highlighting several additional Golang botnets caught by our honeypots.
In early November 2022, we collected samples of a DDoS botnet that supports only TCP-based DDoS attacks. This botnet is named Rose, based on the source code previously hosted on GitHub. Interestingly, the bot configures ZTE and Huawei devices to prevent their exploitation, similar to the Mozi botnet reported by Microsoft.
We also came across a simple DDoS bot that calls itself “nyancat” (Figure 11), as seen in the path of the source files used to compile the binary. The path also suggests that the bot was compiled in a Windows environment. This bot extends publicly available botnet code on GitHub to perform HTTP-based Denial of Service (DoS) types of attacks on top of existing TCP, UDP, and Valve Source Engine (VSE) attacks.
Figure 11: nyancat source file name
Interestingly, we found another DDoS botnet also compiled in Windows from the same source file base path (Figure 12), C:/Users/Admin/Music.
Figure 12: Another Windows compiled DDoS bot
This botnet also looks like an adaptation of another source code on GitHub that supports HTTP GET, HULK, GoldenEye, TLS and basic TCP and UDP types of DoS attacks (Figure 13).
Figure 13: Function comparison between the two DDoS bots
It’s possible that these two samples were compiled by the same threat actor, given that the binaries were built from source code located in similar directories on Windows machines and that some of the functions share similar names and code.
Figure 14: Panchan botnet strings
Another malware we captured is Panchan (Figure 14), a Golang-based XMRig miner that was documented by Akamai around June 2022 but with earlier samples found as early as March.
IoT malware is very much alive and continues to exploit both old and new vulnerabilities to infect devices and propagate themselves. While most of them target router vulnerabilities, there are notable exceptions, like the popular F5 BIG-IP iControl CVE-2022-1388 and VMware Workspace ONE Access CVE-2022-22954 vulnerabilities. Data from our telemetry also verifies that even old vulnerabilities from 2014 are still being actively exploited.
Mirai and Gafgyt-based malware still dominate the IoT threat landscape in terms of the sheer volume of samples. There is also a growing variety of malware written in the Go programming language, possibly fueled by the increasing availability of malware source code in public repositories like GitHub, which makes it easy for unsophisticated threat actors to build and operate their own botnets.
With this increased interest in using Golang for malware development, we expect to see even more Golang IoT botnets this year.
FortiGuard Labs will continue to track and report on emerging threats and trends in the IoT threat landscape.
The FortiGuard Antivirus service detects and blocks these threats as
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.
FortiGuard Labs provides IPS signatures against the following vulnerabilities.
The FortiGuard Web Filtering Service blocks the C2 servers and download URLs cited in this report.
The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that work together to provide up-to-date threat intelligence about hostile sources.