SMB, IoT Attacks Rapidly Increasing, while Mirai Malware Dominates
September 17, 2019 - Hackers are launching cyberattacks against SMB ports and IoT devices at a record pace, with the US facing the greatest number of hacking attempts, according to a recent report from F-Secure.
F-Secure researchers set up a network of honeypots – decoy servers set up around the globe – to get a pulse of the current threat landscape. The report found these attempts have tripled in the past year: The honeypots measured a total of 2.9 billion events. It’s the first time the report showed more than 1 billion attacks.
Of those attacks, 2.1 billion were on the TCP ports, primarily used on IoT devices. Mirai malware, which proliferated in 2018, is continuing to highly target these devices. What’s more, the US saw the greatest number of attacks.
The second most prevalent traffic was observed on port 445, which represents SMB worms and exploits like Eternal Blue. The Eternal Blue exploit was used in WannaCry, but 40 percent of health organizations suffered a WannaCry attack during the first half of 2019.
Eternal Blue targets a flaw in the SMB protocol through port 445. While Microsoft released a patch for the vulnerability long before the May 2017 WannaCry cyberattack, nearly 1 million devices are still vulnerable to attack.
“Since its debut during WannaCry over two years ago, Eternal Blue continues to be used by criminals, and it’s currently at the height of its popularity,” the researchers wrote. “Data from our malware labs backs this up, as WannaCry is currently one of the most prevalent forms of malware in our telemetry.”
Attacks on SSH port 22 were the third most targeted, which represent brute force password attempts to gain remote access to a machine. However, researchers noted attacks also use IoT malware on this port.
According to the report, the prevalence of attacks is most likely due to the continuing spread of IoT devices, the prevalence of Eternal Blue, and an increase in DDoS attacks. And 99.9 percent of traffic to the honeypot was automated traffic from bots, malware, and other tools.
The report stressed that the increase in both sophistication and cyberattacks leveraging variants of Mirai should pose a serious concern to security leaders. The variant dominated the honeypot traffic, targeting IoT devices like routers and infecting devices that use default credentials to co-opt them for botnet armies.
Mirai hackers have also created variants specifically engineer to infect enterprise IoT devices, which “allows attackers access to greater bandwidth connections than are available with consumer devices, affording them greater power for DDoS attacks.”
“Turning away from honeypots to the actual customer endpoints we protect, the main types of malware we see are still ransomware, banking trojans, and cryptominers,” researchers wrote. “Every half year it’s a different story. This time, it’s the jump to billions of honeypot attacks, the rampant exploitation of IoT devices via Telnet and UPnP, China’s domination of traffic, a comeback in ransomware and a rally of cryptominers.”
“The attacks may change, the methods may change and the vulnerabilities may change, but what doesn’t change is that following solid security practices and procedures will keep your business on much safer ground,” they added.
F-Suite recommended organizations map their entire attack surface to ensure a full inventory of devices and servers within the network to “Know what you need to protect most, and guard it. Keep your most critical assets protected with a higher level of security.” Leaders should also retire old assets that are no longer necessary.
The F-Suite report confirms a recent Microsoft alert that showed Russian-backed hackers are actively targeting poorly configured IoT devices to gain access to the network of larger organizations. Meanwhile, an Irdeto report showed 82 percent of healthcare organizations, IoT manufacturers, and other organizations that use IoT devices have faced a cyberattack on those devices within the last year.
Security leaders have noted it’s imperative to integrate purchase decisions around IoT with risk assessments to ensure organizations aren’t introducing unnecessary risk with the deployment of IoT. In recent months, NIST has also been releasing security guidance around IoT devices to help organizations build security programs for the vulnerable tech.
Gloss