Blog :: Security Operations

Detecting IoT_Reaper with Network Traffic Intelligence

adamh

Confidentiality, integrity, and availability are the three major components of information security. Over the years it has become easier to ensure the confidentiality of information via encryption, limiting data access to those who possess the correct key. Information integrity can be validated with a hash like MD5 or SHAxxx. If a file produces the same hash, we can trust it has remained unaltered. This leaves us with availability, a space that has become the front line of the information security war.

Information availability is critical to the workflow of every business and essential in providing a good experience to end users. If the right person cannot access the right information at the right time, you have a failure of availability. Disruptions to availability come in many variants, from Cryptolocker-style attacks that prevent access to files, to large-scale Denial-of-Service attacks, which aim to overwhelm systems’ ability to serve data. Such large-scale attacks are made possible today by IoT botnets. Today a botnet is spreading across the globe using new tactics that make it difficult to predict its future use. It has been named the IoT_Reaper.

What is IoT_Reaper?

We have seen botnets grow to immense size, a recent example being the Mirai Botnet. Mirai used a catalog of default/factory passwords, which proved more than sufficient to amass hosts. IoT_Reaper has a more sophisticated approach in the recruitment process. The Reaper takes advantage of known security vulnerabilities in devices from companies like D-Link, Netgear, Linksys, and more. While many of these vulnerabilities have been patched by the vendors, end consumers don’t tend to apply those patches to their IoT devices. Those in the networking world know the importance of patching, but the average person buying a fun IoT webcam to watch the house while they are away may not.

IoT_Reaper’s distribution vector isn’t the only upgrade from its predecessors. A LUA execution environment is constructed on infected devices. This allows attackers to build tools that can be executed in a common environment, rather than depending on only the libraries and tools native to IoT devices. Scripting can then be used to increase the severity of attacks or expand the botnet’s ability to spread.

How can we detect the presence of IoT_Reaper in our networks?

Luckily, researchers have been able to identify the IP addresses involved in the distribution of the botnet. Using a tool like Scrutinizer, which makes it easy to review activity on your network, reports can be built that will alert us to the presence of communication with compromised hosts.

A Study by NetLab found the following addresses to be indicators of compromise:

  • 162.211.183.192 – Downloader, responsible for providing the full malware payload to infected hosts
  • 27.102.101.121 – Controller, responsible for typical C2 activities and coordination
  • 222.112.82.231 – Reporter, collects information about new hosts that are vulnerable to infection
  • 119.82.26.157 – Loader, exploits vulnerabilities against devices listed in the reporters’ database

With these addresses, we can begin to build reports and thresholds in Scrutinizer to both ensure there wasn’t contact in the past and be alerted to future events.

First, create an IP group of the compromised addresses to use as a filter in our reports. Navigate to Admin > Definitions > IP Groups.

Building IP groups

Groups can be constructed using individual IP addresses like those found by NetLab, so we will create an IP group called ‘IoT_Reaper IOC.’ Now this group can be used as a filter in our reports and thresholds.

Next, navigate to the Status tab and select ‘Run Report.’ Select ‘Use All’ for device and interface, and ‘Conversation by Application Pair’ for report type. Finally, select a time range of the last five minutes; this will allow us to build a threshold alarm using the most current data available.

After clicking Launch Report, you will be given a report listing the top 10 conversations across your network. Here we will add a filter to look for conversations with IoT_Reaper IOC addresses. On the left side of the screen, next to the Filters Label, click Add.

In the filters window that opens, select the IP groups filter type and the IoT_Reaper IOC group. Leave the direction set to ‘both,’ as we’re looking at all the interfaces on the network.

Building reports

Once the filter is applied, you will only be left with results that include the malicious IPs, or hopefully no results at all. At this point, save the report and call it ‘IoT_Reaper Alert.’ From a blank report, we can click the Add button next to the threshold label.

Setting thresholds

Setting a per row threshold of 1bit will issue an alarm for every connection made that makes it through the filter we set up. This process allows us to build new IDS functionality into Scrutinizer, making it easier to detect things like the spread of IoT_Reaper in the context of a network environment. If you’re new to Scrutinizer and want to try detecting malicious activity like IoT_Reaper, try our 14-day evaluation and start gaining insight into what is communicating on your network.