The volume of DDoS attacks from compromised IoT devices rose significantly in March
Vulnerable routers (2 global brands) and compromised monitor screens and fleet tracking systems were used extensively by hackers as part of large botnets to share and deploy rootkits across the globe in March. This resulted in a significant spike in botnet traffic recorded by our global honeypots in March. Though the spike has subsided a bit, the rise in infections caused by this sudden surge will only become apparent in the next few weeks. This trend presents a new reason for concern among IoT cybersecurity teams.
Most of the attacks were logged at 2.5 MBPS and above and the requests ranged from 1.5- 3 million requests per second on certain target websites. Based on the traffic patterns, over 150 command and control servers located across 15 countries were identified by Sectrio’s threat research team. These servers were coordinating not just the spread of the attacks but the propagation of a variety of rootkits and other payloads including Revil ransomware.
The sudden botnet expansion could also be attributed to the use of older versions of certain operating systems in phones and other desktop and laptop machines. With such an expansion, hackers now have more bots at their disposal as well as a means to upgrade their botnet infrastructure by promoting more bots to command and control servers. The scope for many of these Bot networks to grow exponentially in the next weeks has increased with the rising number of bots getting added each week.
Traffic from these botnets was not confined to any geography and each bot was sending traffic to multiple IP addresses across regions. Analysis of this traffic reveals a well-orchestrated strategy being deployed by hackers to target IoT projects at various levels and phases as well as to expand botnets by targeting consumer devices. The level of stealth and obfuscation is growing as hackers devise new means to bring down multiple target entities through the same botnet. Many of the old botnets are also being resurrected for this purpose as hackers are planning to increase their operations across geographies.
For IoT projects, this is bad news as the lessons from 2020 and 2021 as articulated in our IoT and OT Threat Landscape reports seem to have been forgotten or ignored. While a portion of these new IoT-linked botnets may be connected to projects that are in the PoC phase, a larger volume of the traffic seems to be emerging from established projects as per the traffic patterns analyzed by Sectrio’s threat research team. This is quite a worrying development as it indicates the possibility of existing IoT devices being compromised or new and untested devices being added to existing projects without security-linked adequate testing.