2022 IoT Threat Review

FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.

Affected Platforms: Linux

Impacted Users: Any organization

Impact: Remote attackers gain control of the vulnerable systems

Severity Level: Critical

Attack Origins

Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial of Service (DDoS) attacks.

These malware campaigns primarily brute force Telnet and SSH credentials to gain access to IoT devices and then execute their bot binaries. In 2022, a total of over 20 million successful brute force attacks were recorded by our system. Figure 1 shows the number of successful brute force attacks against our honeypots by month.

Based on 121,799 unique attacker IPs observed in 2022, see a breakdown of where IPs were hosted by country (Figure 2).

In terms of attack volume, see a breakdown of where the majority originate from based on where servers are hosted (Figure 3).

Top Vulnerabilities

Aside from brute forcing credentials to infect devices, IoT malware also takes advantage of vulnerabilities to spread, such as in the Beastmode Mirai campaign we discussed in April. Our monitoring system identifies possible exploitation requests being used by malware samples. From over a hundred vulnerabilities targeted by IoT malware samples that were captured last year, we primarily observed attempts to exploit CVE-2017-17215, an old Remote Code Execution (RCE) vulnerability targeting Huawei HG532 routers. In fact, over 30% of the malware samples containing embedded exploits target this vulnerability (Figure 4).

In terms of the actual volume of attacks in the wild, based on 30-day Fortinet IPS telemetry, we can see that the IPS signature Huawei.HG532.Remote.Code.Execution detected efforts to exploit CVE-2017-17215. We captured an average of 80,000 daily detections, peaking at 160,000.

We also found the following CVEs from 2022 being targeted:

• CVE-2022-26186 (TOTOLINK Routers RCE)
• CVE-2022-26210 (TOTOLINK Routers RCE)
• CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 (TOTOLINK Routers RCE)
• CVE-2022-22947 (Spring Cloud Gateway RCE)
• CVE-2022- 29013 (Razer Sila Gaming Router RCE)
• CVE-2022-1388 (F5 BIG-IP iControl RCE)
• CVE-2022-22954 (VMware Workspace ONE Access RCE)
• CVE-2022-23377 (Archeevo LFI)
• WordPress cab-fare-calculator plugin 1.0.3 (LFI)
• WordPress video-synchro-pdf plugin 1.7.4 (LFI)

It is important to note that although there were attempts to target Local File Inclusion (LFI) vulnerabilities, they were not properly implemented to successfully exploit them.

The most actively exploited vulnerability from the list above is the CVE-2022-22954. It targeted VMware Workspace ONE Access. The VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution IPS signature recorded an average of 80,000 daily detections based on a 30-day Fortinet IPS telemetry. Our post from October noted that this vulnerability is also a hot target for other non-IoT malware campaigns.

We also observed that the F5 BIG-IP iControl CVE-2022-1388 (F5.BIG-IP.iControl.REST.Authentication.Bypass) was another popular vulnerability, experiencing a daily average of 25,000 hits, peaking at 50,000.

Top Architecture

Based on our research, the majority of IoT malware is built to run on an ARM 32-bit architecture— comprising almost three-quarters of all samples captured (Figure 8). The “script file” label is for plaintext Bash scripts with the purpose of downloading and installing the payload binary after brute forcing or exploitation.

Top Malware Families

Figure 9 shows the most common malware families detected by our systems, grouped by month. Mirai and Gafgyt variants are predominant, with Kyton, a Gafgyt/Mirai hybrid, being one of the most heavily distributed families in terms of volume. Being a Gafgyt/Mirai hybrid, Kyton reuses code from other Mirai variants to exploit CVE-2017-17215 (Huawei Router HG532), JAWS Webserver RCE, or CVE-2014-8361 (Realtek SDK). Samples tagged as _unknown on the graph (Figure 9) are malware yet to be linked to any known malware campaigns. They could be fresh botnets infecting our honeypots.

Noteworthy Families

As shown in the Figure 9 statistics, while most of the active IoT botnets last year were based on Mirai and Gafgyt, there were several campaigns that stood out from the crowd.

In mid-March, for example, we encountered Enemybot, which at the time was the latest botnet campaign from the threat group Keksec. It was a hybrid of Gafgyt and Mirai and was using the TOR network to mask its real Command and Control (C2) servers.

RapperBot is a DDoS botnet that we encountered in mid-June. This malware is interesting because it was using an embedded SSH client to spread and because we observed unusual changes to its variants that made us question its primary motivation. In October 2022, we observed a new campaign from potentially the same threat actors targeting servers for popular games.

Lastly, Zerobot is a DDoS botnet written in the Go programming language (also known as Golang) that FortiGuard Labs first encountered in November 2022. It utilizes both old and recent vulnerabilities to spread, and uses WebSockets to communicate with its C2 servers.

The Rise of Golang IoT malware

Another trend that we saw with IoT botnets was the rise of samples written in Golang despite its compiled binaries having relatively much larger file sizes. A Golang ELF binary executable can easily be above 4MB in size, whereas normal Mirai and Gafgyt binaries fall below 300KB. For this reason, some campaigns use the UPX packer to help reduce the file size.

Up through October 2022, one of the C2 servers (176[.]65[.]137[.]5) listed in our Zerobot report historically distributed the Mirai-based SORA variant. It then switched to distributing Zerobot the month after. For example, hxxp://176[.]65[.]137[.]5/bins/zero[.]x86 served a UPX-packed SORA binary in October 2022 (Figure 10), but similar URLs with the zero.{arch} filename were later seen distributing Zerobot instead. The switch from distributing SORA to Zerobot, but using the same campaign filename is interesting as these families do not share a common C2 protocol. The intent behind the switch remains unclear.

Apart from Zerobot, we are also highlighting several additional Golang botnets caught by our honeypots.

In early November 2022, we collected samples of a DDoS botnet that supports only TCP-based DDoS attacks. This botnet is named Rose, based on the source code previously hosted on GitHub. Interestingly, the bot configures ZTE and Huawei devices to prevent their exploitation, similar to the Mozi botnet reported by Microsoft.

We also came across a simple DDoS bot that calls itself “nyancat” (Figure 11), as seen in the path of the source files used to compile the binary. The path also suggests that the bot was compiled in a Windows environment. This bot extends publicly available botnet code on GitHub to perform HTTP-based Denial of Service (DoS) types of attacks on top of existing TCP, UDP, and Valve Source Engine (VSE) attacks.

Interestingly, we found another DDoS botnet also compiled in Windows from the same source file base path (Figure 12), C:/Users/Admin/Music.

This botnet also looks like an adaptation of another source code on GitHub that supports HTTP GET, HULK, GoldenEye, TLS and basic TCP and UDP types of DoS attacks (Figure 13).

It’s possible that these two samples were compiled by the same threat actor, given that the binaries were built from source code located in similar directories on Windows machines and that some of the functions share similar names and code.

Another malware we captured is Panchan (Figure 14), a Golang-based XMRig miner that was documented by Akamai around June 2022 but with earlier samples found as early as March.

Conclusions

IoT malware is very much alive and continues to exploit both old and new vulnerabilities to infect devices and propagate themselves. While most of them target router vulnerabilities, there are notable exceptions, like the popular F5 BIG-IP iControl CVE-2022-1388 and VMware Workspace ONE Access CVE-2022-22954 vulnerabilities. Data from our telemetry also verifies that even old vulnerabilities from 2014 are still being actively exploited.

Mirai and Gafgyt-based malware still dominate the IoT threat landscape in terms of the sheer volume of samples. There is also a growing variety of malware written in the Go programming language, possibly fueled by the increasing availability of malware source code in public repositories like GitHub, which makes it easy for unsophisticated threat actors to build and operate their own botnets.

With this increased interest in using Golang for malware development, we expect to see even more Golang IoT botnets this year.

FortiGuard Labs will continue to track and report on emerging threats and trends in the IoT threat landscape.

Fortinet Protections

The FortiGuard Antivirus service detects and blocks these threats as

• ELF/Mirai!tr
• ELF/Zerobot!tr
• ELF/Generic!tr
• Linux/DDoS_Agent!tr
• Riskware/CoinMiner

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the Fortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are protected.

 FortiGuard Labs provides IPS signatures against the following vulnerabilities.

• CVE-2022-29013 - Razer.Sila.Gaming.Router.Command.Injection
• CVE-2022-26186/CVE-2022-26210 - Totolink.Router.Cstecgi.Command.Injection
• CVE-2022-25075 to CVE-2022-25084 - Totolink.Router.Main.Function.Query_String.Command.Injection
• CVE-2022-22954 - VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution
• CVE-2022-22947 - Spring.Cloud.Gateway.Actuator.Endpoint.Remote.Code.Execution
• CVE-2022-1388 - F5.BIG-IP.iControl.REST.Authentication.Bypass
• CVE-2018-20062 - ThinkPHP.Controller.Parameter.Remote.Code.Execution
• CVE-2018-10561 - Dasan.GPON.Remote.Code.Execution
• CVE-2017-18368 - TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection
• CVE-2017-17215 - Huawei.HG532.Remote.Code.Execution
• CVE-2015-2051 - D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
• CVE-2014-8361 - D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution
• Eir.D1000.Modem.CWMP.Command.Injection
• JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution
• Linksys.Eseries.Router.Remote.Command.Execution

The FortiGuard Web Filtering Service blocks the C2 servers and download URLs cited in this report.

The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that work together to provide up-to-date threat intelligence about hostile sources.

IOCs

Files

8332871673d8e9d90c95a463e1bdc73b1fae1a59b46767cab1c0c9257de4e7f5

ebe891df3802d21c34d1821c5c772d77de4c6e71eb84690ec19aecb923a95aca

fd47e446e72d7eb6e75f4990c192559c349b92f60fa6f57508fde646cf8317aa

51f45d81f00e65a29b02231e5eba7ac850094fa00172668daf439d28d544717e

038271675df68c56ce147852093fcb795cbde55198d33f4be52d6d102689764d

56ab2c3f334f73b986c64180d5c82d4050a583ff06da0873ff4750be4a02bbaf

8dceacda8288e61769a9ccf6900dff45d500679440b006138d4746ebf15cc664

e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50

1c1817e9c32dcf70871505a39d235d0f424f985d13998706ed0ed6aaffc20da6

b4cd314c832f046143d200285dd1fb96f1f7443bc0e3d321614225bf77783160

5f73c66e72118cb2d18ff839e9f94d1d0e1da44a5c76a0972c537652eacf708b

Download URLs

hxxp://176[.]65[.]137[.]5/bins/zero[.]x86

C2

176[.]65[.]137[.]5

194[.]87[.]84[.]154