IOT Reaper/IOTRoop Botnet

An IOT botnet dubbed “IoTroop” or “Reaper” targeting vulnerable internet-connected devices, such as CCTV, IP cameras and Wi-Fi routers, are reported rampant spreading worldwide. The botnet targets reported vulnerabilities in the major IoT device vendors such as Dlink, Netgear, Linksys, AVTECH, Goahead, JAWS.

These compromised devices lets cyber criminals to intrude on private networks and gain access to other devices and information attached to these networks and can also be used for activities such as DDoS or other malicious activities leading to full loss of confidentiality, integrity and availability, depending on the actions of the attacker.

The following systems are currently reported to be vulnerable to the Reaper malware:

• Dlink (router) https://blogs.securiteam.com/index.php/archives/3364
• Dlink (router) http://www.s3cur1ty.de/m1adv2013-003
• Netgear (router) https://blogs.securiteam.com/index.php/archives/3409
• Netgear (router) http://seclists.org/bugtraq/2013/Jun/8
• Linksys (router) http://www.s3cur1ty.de/m1adv2013-004
• AVTECH (IP camera) https://github.com/Trietptm-on-Security/AVTECH
• Goahead (IP camera) https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
• JAWS (IP camera) https://www.pentestpartners.com/blog/pwning-cctv-cameras/
• Vacron NVR (Network Video Recorder) https://blogs.securiteam.com/index.php/archives/3445

Recommendations

• Run updates and contact manufacturers to confirm devices are patched with the latest software and firmware.
• Review IOT devices [home Internet routers, DVRs, IP cameras] to ensure they support the latest security protocols and standards and disable older insecure protocols. (check the vendors websites for updates & patches).
• Change the default OEM credentials and ensure that passwords meet the minimum complexity.
• Disable Universal Plug and Play (UPnP) unless absolutely necessary.
• Implement account lockout policies to reduce the risk of brute forcing attacks.
• Telnet and SSH should be disabled on device if there is no requirement of remote management
• Configure VPN and SSH to access device if remote access is required.
• Configure certificate based authentication for telnet client for remote management of devices
• Implement Egress and Ingress filtering at router level.
• Unnecessary port and services should be stopped and closed.
• Logging must be enabled on the device to log all the activities.
• Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

References

• http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
• https://research.checkpoint.com/new-iot-botnet-storm-coming/
• https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-botnet-iot-reaper