The Weaponization of IoT: Rise of the Thingbots

Threat actors use botnets — networks of infected computers or devices — for various cybercriminal purposes, most significantly distributed denial-of-service (DDoS) attacks against predefined targets. Today, botnets with DDoS capabilities are even for sale on the Dark Web. In March 2016, our IBM report, “The Inside Story on Botnets,” explored the botnet cybercrime landscape. How has this threat evolved?

Tracking the Weaponization of IoT

One of the most important changes, the rising use of compromised Internet of Things (IoT) devices in botnet operations, is the focus of our latest report, “The Weaponization of IoT Devices.” The IBM X-Force team has been tracking the threat from weaponized IoT devices, also known as thingbots. In the report, we examined several 2016 attacks and the motivations behind them.

Most notably, we reported on the use of the Mirai botnet in several publicly disclosed DDoS attacks, as well as the exponential increase in the bandwidth involved in those attacks. In June 2016, one of these attacks peaked at around 400 Gbps. In the months following, the threat from thingbots grew substantially.

In October 2016, reports of an IoT DDoS botnet attack against a different target revealed an approximately 200 percent size increase over the attack reported in June. X-Force also observed a rise in attacks from a new variant of the ELF Linux/Mirai malware that, in addition to traditional DDoS capabilities, also contains a bitcoin mining component.

Notable 2016 IoT botnet DDoS attacks

Additionally, our analysis of port metrics obtained through a darknet — a block of IP addresses that should not receive any connection requests — revealed significant increases of scanning on TCP ports 23, 2323 and 7547 throughout the end of 2016. These ports are associated with the Mirai botnet, which scans them looking for vulnerable IoT devices.

An Evolving Threat

DDoS attacks have evolved over time. The weaponization of IoT devices into attacking DDoS botnets is simply the latest trend, the current “thing” from which to create an army of bots.

A recent report from Incapsula illustrated how this threat is not diminishing any time soon. One of its customers, a U.S. college, suffered a massive DDoS attack in February 2017 that lasted more than two days. According to the report, analysts believed that the perpetrators used new version of the Mirai malware that was “modified to launch more elaborate application layer attacks.” Interestingly, DVRs manufactured by the same vendor made up 56 percent of all IPs used in the attack.

A DDoS Arms Race

There are several drivers underlying a majority of issues with IoT. As DDoS attacks have become more potent and more common, we have witnessed a parallel proliferation of DDoS mitigation services, an arms race of sorts.

Whether it’s a computer, mobile device or appliance, anything connected to the internet could become subject to attack. The proliferation of IoT devices will accelerate substantially — they are expected to account for more than two-thirds of the 34 billion connected devices projected by 2020.

It is vital that organizations and consumers look to implement IoT security best practices. Refer to the report to find out how to prevent your IoT device from becoming part of a massive botnet.

Read the complete X-Force Research report Now: The Weaponization of IoT

Share this Article:
Lyndon Sutherland

Senior Threat and Intelligence Analyst, IBM X-Force

Lyndon Sutherland has been involved in Network Engineering and Security for more than twenty years, fourteen of which have been with IBM. His work with IBM as a researcher and analyst led him to joining the X-Force Threat Analysis Service (XFTAS) in 2008. In addition to XFTAS, he also works with the Managed Security Services Threat Research Group writing and contributing to research papers.