“
FINAL WORD
THE SPEED AT WHICH
VULNERABLE DEVICES ARE
INFECTED SHOWS HOW IMPORTANT
IT IS TO PROTECT YOURSELF FROM
THESE ATTACKS.
Johannes Ullrich, Dean of Research at
SANS Institute and founder of the Internet
Storm Center
whatsoever for any collateral damage
caused to the user or the device. Affected
firewalls often become unresponsive
and in some cases may overheat and
break permanently. In fact, in multiple
experiments run by the SANS ISC, it only
took a few minutes for a vulnerable device
to be attacked and taken over once it was
connected to the Internet. These attacks
affect any Internet connected device.
The graph shows the rise of scans for port 80,
8000 and 8080 from Saudi Arabia and some
of its neighbours over a period of 12 days
Attacks against devices like this often
go unnoticed but can have severe
consequences. Cybercriminals can use the
access they have gained to these devices
to then intercept traffic passing through it.
More recently, a botnet known as VPNFilter
was discovered with a more sinister mission.
Unlike most similar botnets, VPNFilter cannot
be simply removed from the device with a
reboot. Instead, the bot alters the device’s
firmware and will try to re-infect the device
after a reboot. VPNFilter includes various
modules that can be used to sniff traffic
passing through the device, or that can use
the device as a platform to launch attacks
against other networks. VPNFilter is believed
to have been targeting energy companies in
the Ukraine.
Most malware infecting devices, however,
have a much more benign goal – mining
cryptocurrencies. Cryptocurrencies are
currently by far the most common method
that criminals use to monetise attacks from
104
INTELLIGENTCIO
the devices they are taking over. No device
is too small. Monero, for example, one of
the primary cryptocurrencies being targeted
by criminals these days, can be mined very
efficiently on smaller devices and PCs. The speed at which vulnerable devices
are infected shows how important it is to
protect yourself from these attacks. As even
home users are affected, it is important
to implement some simple and effective
guidelines. First of all, always change the
password that comes with your device.
Default passwords are the most common
attack vector. Unfortunately, in some cases it
may not be possible to change the password.
This is particularly true for passwords that
are installed by manufacturers as a backup
or support account. The user often doesn’t
know about these accounts or is unable to
change the passwords.
A typical attack will first scan the device
for common vulnerabilities or well-known
default passwords. If the attack is able to
access the device, then it will often remove
competing malicious code and install its
own ‘miner’ software. The software will
then try to use as much of the device’s CPU
as possible in order to mine cryptocoins.
The attacker will usually have no regard For this reason, all remote access methods
should be disabled or severely restricted.
Manufacturers will also often release
updates if a new vulnerability becomes
known. It can be tricky to apply these
updates to some devices, but it is important
that you do so, since at SANS, we have seen
in the D-Link case how a new vulnerability is
being exploited within a couple of days. n
The Satori botnet distribution by country
www.intelligentcio.com