IOT MALWARE REPORT Analysis of Q3 2017 Mirai …...214 West 29th St, 5th Floor New York, NY 10001 1.800.682.1707 SecurityScorecard.com [email protected] ©2017 SecurityScorecard

214 West 29th St, 5th Floor

New York, NY 10001

1.800.682.1707

SecurityScorecard.com

[email protected]

©2017 SecurityScorecard Inc.

Analysis of Q3 2017 Mirai ActivitySECURITYSCORECARD R&D DEPARTMENT

IOT MALWARE REPORT

www.securityscorecard.com2

OverviewFrom July to September 2017, SecurityScorecard identified 34,062

IPv4 addresses on the public internet which all display the symptoms

expected from an embedded device infected with Mirai IoT malware.

Through its examination–where the team analyzed captured data

of incoming connections and payloads to telnet ports of deception

platforms that matched patterns of known Mirai propagation

attempts–SecurityScorecard found that even a year after the initial

release, Mirai botnet infections are still widespread, a troubling

indicator of the lack of well-established cybersecurity practices across

all industries.

Additionally, SecurityScorecard’s examination revealed that Mexico

has made an unexpected rise to the top of the list when it comes to

countries with infected IoT devices.

Background: Mirai Botnet and FamilyThis time last year, Mirai botnets took down major websites, such

as music-streaming and social media sites. (A reminder of how

this happened: By harnessing 1TB/s of compromised traffic, self-

propagating Mirai botnets were used in a DDoS attack against

DynDNS, an infrastructure company that handles massive amounts of

communications for a large number of websites.)

Since then, many other malware attacks have been levied upon

companies across the globe, taking their services down and affecting

millions of users. The self-propagating nature of the Mirai botnet

means that when one malware infection compromises a device, this

device can then be leveraged to infect many other devices. This

www.securityscorecard.com3

pool of resources is then used to target enterprises for malicious and

profit-driven motives. In addition to malware for DDoS attacks, there

is a significant emergence of cryptocurrency-mining malware that is

being deployed on infected IoT devices–allowing hackers to monetize

resources without drawing unwanted attention.

Mexico on the Map with Mirai

The top five affected countries for Mirai activity in the third quarter of

2017 were:

1. Mexico

2. China

3. Brazil

4. US

5. Turkey

While China, the U.S., Brazil, and Turkey are frequently listed as

countries heavily impacted by attack feeds, the emergence of Mexico

bypassing China in number of unique IP addresses infected is an

interesting development.

The explanation for Mexico claiming the number one spot is likely a

byproduct of the significant regional efforts that are taking place for

the implementation of widespread IoT technologies. Mexico has been

at the forefront for the adoption and expansion of IoT systems, such

as the recent availability of a regional dedicated communications

service specifically geared towards IoT.

It’s no surprise that in an environment where an emerging technology

is being rapidly adopted at a large scale, speed of deployment is

sometimes prioritized over necessary security practices during

implementation.

Fig 3 - Pie Chart of Geographical Activity for Mirai during Q3-2017

www.securityscorecard.com4

More IoT Devices at the Enterprise and Consumer Level Results in a Visible Impact Across Industry Types

Breaking down the data by industry revealed the top five industries

that were most affected by Mirai variants in the third quarter of 2017.

1. Education

2. Energy

3. Manufacturing

4. Entertainment

5. Financial Services

Given the high number of IoT devices at a consumer level and the

increase of IoT devices used at an enterprise level, it’s no surprise

these industries rank higher than some of their counterparts. For

example, college students are active buyers of IoT devices and the

energy and manufacturing industries routinely incorporate IoT devices

at the enterprise level.

* Note that when looking at industry breakdown, domains categorized as Telecommunications/Technology/Information Services’ should be interpreted carefully. These domains may consist of domain/IPs that belong to residential users as opposed to business users (especially in the case of Telecommunications) these domains are considered unattributed from the standpoint of enterprise IP attribution mapping.

Fig 2 - Bar Graph of Industries

www.securityscorecard.com5

Results of the Propagation ObservationsMirai Points to a Need for Improved Cybersecurity Practices

SecurityScorecard identified 184,258 IPv4 addresses as IoT devices

infected with Mirai IoT malware from August 1, 2016 to July 31, 2017.

While the sheer magnitude of the number of infected devices alone

serves as a strong reminder to information security practitioners to

establish processes that maintain cybersecurity hygiene, the over

30,000 infected IoT devices identified this year shines a spotlight on

the need for an increased focus on maintaining cybersecurity health.

Fig 1 - Geographical map representing spread of Mirai - Q3-2017

The red dots indicate the distribution of infected devices.

www.securityscorecard.com6

ConclusionsWhile the rise of IoT attacks in Mexico is likely to continue, the

necessity for secure configurations may eventually result in valuable

IoT security research coming from engineers and hackers in Mexico.

As persistent IoT threats evolve and new threats emerge, it is critical

for enterprises to develop a risk management and monitoring system

that addresses the complexities of the IoT landscape - a landscape

made more complicated by dynamic attack vectors, a patchwork

of new industry standards, and compounded risks created by the

growing risk ecosystem of companies.

IP Attribution MethodologyThe methodology behind industry identification of IPv4 addresses

for this case study resides in the IP attribution system that

correlates exposed digital assets with affected enterprises. The

SecurityScorecard platform checks multiple data points of external

identifiers to attribute the asset to an owner, even with the asset

resides in a third party network - such as a cloud provider or off-site

facility.

www.securityscorecard.com7

Data Collection MethodologyTo collect the data that was discussed in the report, SecurityScorecard

makes use of an array of internally developed analyst scripts, as

well as a hardware implementation of the CDS Enterprise Deception

Platform developed by Cyber Detection Services of Nashville, TN.

The CDS Enterprise Deception Platform consists of hardware

deployed in data centers which provide IPv4 addresses that within

CIDR numbers that are under constant, sustained attack. These

neighboring IPv4 addresses are host to an array of financial services,

ecommerce providers, and other high value targets within the Fortune

1000.

Vulnerable enterprise network configurations are emulated and

broadcast to the public internet, appearing as attractive targets to

automated scans, attack scripts, and individual human attackers.

Incoming connection attempts are accepted, and vulnerable

conditions are surfaced. Attackers are caught in a loop of false

positive validation, while incoming payloads and associated IP

addresses are captured.

Captured attack data undergoes a followup inspection by the SSC

IP Attribution engine to determine the enterprise using the IPv4

address and associated industry. Threat intelligence analysis engines

then inspect payloads for classification of known attacks, well as

the identification unidentified, unique payloads that may indicate an

emerging threat.

www.securityscorecard.com8

About SecurityScorecardSecurityScorecard offers an exclusive security rating platform able to

determine the security risk of any organization on the internet. Our

proprietary SaaS offering helps enterprises gain operational command

of their security postures and across all of their partners, and vendors.

SecurityScorecard provides continuous, non-intrusive monitoring

for any organization including third and fourth parties. The platform

offers a breadth and depth of critical data points not available from

any other service provider including a broad range of risk categories

such as Application Security, Malware, Patching Cadence, Network

Security, Hacker Chatter, Social Engineering and Leaked Information.

To receive a free, instant SecurityScorecard report about your

company, visit https://instant.securityscorecard.com