Default Passwords Aid Satori IoT Botnet Attacks
Researchers at Netlab 360 detected a surge in malicious activity scanning and infecting several IoT devices, attempting to make them part of Satori, a variant of the Mirai IoT botnet that is used to take down websites and mine digital coins. Experts point to lack of oversight in IoT and the cursed default usernames and passwords as the reason why hackers are leveraging this critical vulnerability in D-Link DSL routers.
While Mirai was rampant two years ago, Satori was first discovered in late 2017 infecting more than 260,000 home routers within 12 hours, according to a 15 June post from Netlab 360. Researchers recently noted that the Satori author released a worm, targeting for D-Link DSL-2750B devices. In this latest uptick of malicious activity, this Satori variant has been taking advantage of recently discovered device exploits. It also carries distributed denial-of-service (DDoS) capabilities and has been reported to have launched several DDoS attacks, according to a report from Radware.
Ashley Stephenson, CEO of Corero Network Security, said, “At this point, Corero detects scans that are indicative of a ‘bot-herding’ phase, seeking devices to compromise as Sartori bots, potentially for multiple botnets owned by different botmasters.”
Consumers using vulnerable routers can take preemptive steps by following the manufacturer’s instructions to disable remote administration, which Corero Network Security said reduces exploit surface. Yet experts want the industry to do more.
Using the two analogies – a car manufacturer no longer issuing recalls and pharmacies continuing to distribute medicines deemed unsafe – Mukul Kumar, CISO and VP of cyber practice at Cavirin, pointed the finger of blame on those who deploy and manage these devices. “The potential for personal and corporate data breach calls for [them] to take additional responsibility, which includes updates.”
“We need a more formal update and ‘recall’ mechanism in place,” Kumar continued. “The end user in many cases doesn’t have the skill set or even the awareness to take action. Looking forward to the increasingly connected home – HVAC, security, lighting, etc. – the need for greater oversight is critical.”
In addition to default usernames and passwords, most IoT devices are shipped to consumers and enterprises with out-of-date, unsecure software that is never updated by manufacturers, said Chris Morales, head of security analytics at Vectra. “IoT devices are also trivial to access, with no regulations or guiding principles mandating how secure they should be.”