First detected by Chinese security researchers Netlab 360 at 01:02:13 on September 13th 2017, a new botnet, dubbed “IoT_Reaper”, has the potential to cause more damage than last year’s Mirai.
The newly discovered botnet, also going by the name Reaper and Troop, has been growing rapidly for the last month. Reaper shares part of its source code with the notorious Mirai botnet, but has a more sophisticated infection mechanism. Mirai scanned for open web ports and attempted default passwords in an attempt to gain access to IoT (Internet of Things) devices, whereas Reaper uses a collection of nine publicly known vulnerabilities to target routers.
Affected devices include routers and IoT devices from the following manufacturers:
Mirai, which was capable of launching an attack made up of over 1TB of traffic, was used to take down a DNS service in October 2016, this is said to have been the largest DDoS attack in history, causing Internet outage for a number of major Internet services including Amazon, Netflix, PayPal and Twitter. However, it is speculated that the Reaper botnet is capable of causing even more damage, as according to Netlab, Reaper has already acquired at least two million devices, with an additional 10,000 new devices being added daily. Israeli cyber security company Check Point Software Technologies Ltd, who discovered Reaper around the same time as Netlab, estimate a more conservative one million organizations affected worldwide, either way such a large amount of infected devices should be considered a cause for concern.
A key feature of Reaper is that it in includes a software platform which allows for new modules to be installed. Since the botnet was first detected in September, its creator has included new exploits to aid Reaper in spreading further and infecting more devices. The ability to add new modules would also allow Reaper to evolve, resulting in weaponized devices that are capable of causing a major denial of service. So far Reaper has shown no sign of offensive activity, but DDoS attacks are the most likely attack to occur in the future, as they’re the most effective way a large IoT botnet can be utilized by an attacker to cause damage.
In many cases, patching devices to the latest available update will help prevent IoT devices from being exploited and added to the botnet. It is suggested that scans are performed, using well known Anti-Virus/Malware Protection suites, to discover any vulnerable or compromised Internet of Things devices that currently exist on a network.
Additionally, there are also steps that can be taken to mitigate the effects of being attacked by Reaper, if it were to execute a DDoS attack. Using what is currently known about Reaper and previous DDoS attacks such as Mirai, there ways of protecting or reducing the damage caused the by massive DDoS attack that Reaper could be used for. The most common way to protect against a DDoS attack is to use a DDoS mitigation service, the aim of such a service is to absorb the mass of malicious traffic targeting a website which would otherwise take it offline.
IoC’s (Indicators Of Compromise)
There are a number of known Indicators of Compromise that can be assimilated into IDS/IPS systems in order to mitigate/alert on the Reaper malware, which are:
If you are concerned that you may potentially be at risk of such malware or other cyber threats currently in circulation then please do not hesitate to contact us at: firstname.lastname@example.org.
Mirai 2.0: https://news.zepko.com/mirai-2-0/