Massive botnet quietly harvesting 2 million vulnerable IoT devices, report says

Researchers say this virus is significantly more powerful than the Mirai botnet of 2016, which shut down Netflix, Twitter, Spotify and other major websites in October 2016.
By Jessica Davis
10:40 AM
vulnerable IoT devices

Research teams from Chinese security firm Qihoo 360 Netlab and Israeli security firm Check Point are alerting the public of a powerful IoT attack malware dubbed Reaper or IoTroop that is spreading through flaws in IoT software and hardware.

So far, the botnet has infected 2 million vulnerable IoT devices across more than 1 million organizations.

Researchers are warning that Reaper is much more powerful than the Mirai botnet that hit globally last year. The cyberattack hit the East Coast of the U.S., bringing down Twitter, Spotify, Netflix and other major websites in October 2016.

[Also: Calm before the storm? Ransomware, botnet attacks predicted to surge]

Reaper is based on Mirai, but isn’t an offspring. Both research teams said the botnet shares some code with Mirai, but adds additional elements that makes it its own threat. The biggest difference is in the delivery method.

While Mirai scanned for open telnet ports and attempted log-ins using a preset list of weak credentials, Reaper primarily exploits and forcibly takes over unpatched devices and adds it to its command and control center.

[Also: Cybersecurity is top concern in IoT deployments]

Reaper leverages nine vulnerabilities to propagate its attack: D-Link 1 and 2, Netgear 1 and 2, Linksys, GoAhead, JAWS, AVTECH and Vacron. Check Point researchers also found the virus is attacking Linux servers, MicroTik and TP-Link routers and Synology NAS devices.

To make matters worse, Reaper is still in its infancy and continuing to quietly harvest vulnerable devices. Hackers are continuing to add exploits daily, and its command and control center is continuing to expand to accommodate new bots.

In fact, Netlab observed over 2 million infected devices in the botnet’s command and control queue, just waiting to be processed. Just one of its command and control servers is in control of over 10,000 devices.

So what does this all mean?

Right now, Reaper is a sleeping threat exploiting flaws in IoT devices. But while it may be dormant, the healthcare industry shouldn’t ignore the potential risks, according to CynergisTek Vice President of Cybersecurity Strategy John Nye.

The healthcare industry has a wide range of IoT devices, from medical devices to remote-controlled thermostats. And often these flaws are left unpatched.

Unfortunately, it’s tough proactively to prepare for Reaper, said Nye. “But if you monitor traffic flows or patterns, it will make it easier to identify and react to anomalous activity. Reaper is much more complex and larger than the botnet Mirai. If activated, it could trigger a lot of other kinds of attacks.”

“These issues and attacks will not abate,” Nye said. “We must move to a new level of awareness and strategy and build security into our technology, our people and our processes.”

Healthcare providers should begin to take steps to prevent infection, Nye said. Reaper should be handled much like other threats, by addressing its cybersecurity posture and practices.

But specific to Reaper, Nye said, “Network monitoring and detection are key.”

First, security teams should assess whether its IoT and biomed devices are segmented from its primary network.

“For devices that have to connect, organizations should consider the use of access control lists and firewalls to help limit access of the devices,” said Nye.

Twitter: @JessieFDavis
Email the writer: