By Alain Penel, Regional Vice President – Middle East, Fortinet
The evolution of malware is being fueled largely by the proliferation of IoT. According to Gartner data, there were about 8 billion connected “things” in 2017. But that number is expected to nearly triple to more than 20 billion in just the next two years, which averages out to roughly three connected devices per person on Earth. Simply put, the opportunity for cybercriminals to enter networks and steal data or hold segments (or the entirety) of the network hostage is growing at an exponential rate, with no signs of slowing down.
Fortinet’s Threat Landscape Report for Q4 2017 supports this conclusion, especially as it comes to IoT-focused exploits — which quadrupled during this time period. The findings in this report are drawn from billions of threat events and incidents collected by Fortinet’s global array of network devices and sensors deployed in live production environments.
To be sure, there are plenty of threats to go around. Key Reinstallation Attacks (KRACK) against the WPA2 protocol, for example, pushed the word “nonce” out of the cryptographer’s lexicon and into the mainstream. Ransomware added some sinister-sounding monikers like “. asasin” and “Bad Rabbit.” Cryptomining attacks surged and crashed systems.
In fact, during Q4 of 2017, FortiGuard Labs detected an average of 274 attacks per firm, which is a remarkable 82% increase over the previous quarter. The number of existing malware families also increased by 25% — to 3,317 — and unique malware variants grew 19% — to 17,671 — which not only indicates a dramatic growth in volume, but in the evolution of malware itself.
IoT Attacks on the Rise
However, IoT-based attacks took the top spot in Q4. Exploits against the GoAhead WIFICAM, MVPower DVR, Netcore Netis devices and Ubiquiti Networks AirOS equipment all widened their spread across sensors in Q4, making the top 20 list of detected exploits. WIFICAM detection exploits, in particular, shot up the list. While 8% of firms registered these in Q3, Q4 brought in four times that number. And to make the IoT attack vector even more challenging, none of these exploits is associated with a known or named CVE (Common Vulnerabilities and Exposures), one of the many troubling results from the rapidly growing number of vulnerable devices in IoT.
In fact, three of the top 20 attacks identified in Q4 targeted IoT devices. But unlike previous IoT attacks, which exploited a single vulnerability, new IoT botnets such as Reaper and Hajime are able to target multiple vulnerabilities simultaneously. This multivector approach is much harder to combat. Reaper’s flexible framework, built on a Lua engine and scripts, means that instead of the static, preprogrammed attacks of previous IoT exploits, its code can be easily updated. This allows it to swarm faster by running new and more malicious attacks as they become available on an active botnet already in place.
The potential for this sort of evolution is alarming. For example, Reaper exploit volume in early October was able to spike from 50K to 2.7 million in just a few days before dropping back to normal.
What Lies Ahead
The fallout from escalating IoT-focused attacks targeting vulnerable and unpatchable devices will most likely take the form of huge botnets that enable the swarming effect seen in the past (for example, the Mirai-based attacks against Dyn) to get even worse. Such “hivenets” are able to use machine learning and multivector approaches to identify and target vulnerable systems with minimal human supervision. Whereas traditional botnets wait for commands from a bot herder, devices in hivenets are able to analyze a target, determine what vulnerabilities it may have and then independently choose the most likely exploit to compromise it, allowing them to spread faster, with more devastating results than ever before.
As reported in our “2018 Threat Landscape Predictions” report, hivenets will be able to use swarms of compromised devices to identify and assault different attack vectors all at once. As it identifies and compromises more devices, a hivenet would be able to grow exponentially, widening its ability to simultaneously attack multiple victims, overwhelming the ability of IT teams to apply patches or new antimalware or intrusion prevention signatures. So, it is critical that your organization evaluate what your current distributed denial-of-service defenses are able to handle now in order avoid troubles later once an IoT swarm comes your way.
To further defend against IoT exploits, best practices start with identifying and inventorying the devices connected to your network, documenting how they’re configured and controlling how they authenticate to network access points. Once complete visibility is achieved, organizations can then dynamically segment IoT devices into secured network zones with customized policies.
For effective security, however, it will then be necessary to dynamically link these segments together using an integrated and automated security fabric or framework that is able to span across the network, especially at access points, and then cross-segment network traffic moving laterally across the network, even into multi-cloud environments — something that most point security devices and platforms are unable to do.
Protecting What Matters
Moving into 2018, IoT remains a cybersecurity challenge of increasing magnitude. Criminals aren’t just taking advantage of unsecured and vulnerable IoT devices. IoT issues are being compounded by a number of critical challenges, such as few IoT manufacturers having a product security and incident response team (PSIRT) in place that can respond to reported vulnerabilities. Second, the lack of regulations means getting IoT manufacturers to even prioritize a reported threat can be frustrating, as evidenced by the number of exploits that continue to successfully target known vulnerabilities that still don’t have an official CVE attached to them.
The dramatic growth of IoT-based malware families illustrates the incredibly prolific nature of this threat. The “proliferate to penetrate” strategy isn’t new, but it’s another reminder that single-point, signature-based antimalware simply cannot handle the volume, velocity, and variety of modern malware. For greater protection of your network and its data, organizations need to integrate malware defenses capable of detecting known and unknown threats across multiple layers of today’s distributed and dynamic network environment, from endpoints to the core and out to the cloud.