IoT Malware Soars, with Both Consumer and Enterprise Devices at Risk

Kaspersky Lab’s IoT honeypot research shows a doubling of malware attacks since last year; attacks are coming from both home devices and computers with enterprise connectivity.

Written by Courtney Bjorlin
20th June 2017

The number of new malware samples targeting IoT devices has nearly doubled since last year, according to new research from Kaspersky Lab published on SecureList, the online headquarters of the firm’s security experts.

Most of the IoT malware attacks (more than 63 percent) originated from digital video recorder (DVR) services or IP cameras, while about 20 percent were different types of network devices and routers from all major manufacturers, according to the research. About 20 percent of the devices could not be identified unequivocally.

What’s more, honeypots not only recorded attacks coming from network hardware classed as home devices, but saw IoT malware attacks arriving from IP addresses that hosted monitoring and/or device management systems with enterprise and security links. This included point-of-sale devices at stores, restaurants and filling stations; digital TV broadcasting systems; physical security and access control systems; environmental monitoring devices; a monitoring system at a seismic station in Bangkok; industry-grade programmable microcontrollers; and power management systems, indicating that one or more devices were infected on the networks where they reside.

“IoT devices are now a ‘honey’ for cybercriminals,” Denis Makrushin, security researcher for Kaspersky Lab, said via email. “Connected devices are a potential entry point for attackers, which cannot be easily mitigated by traditional security solutions.”

It’s further evidence of the challenges inherent in securing connected devices. Slow and inconsistent firmware updates, preconfigured passwords that can be the same for a manufacturer’s entire product range, and the fact that devices often have telnet and/or SSH ports available to the outside world expose smart devices and the networks to which they’re connected to a host of vulnerabilities, according to researchers.

“The phenomena of integrating IoT with business processes creates another vector to affect these processes and, as a result, affects the whole business,” Makrushin said. “Cybercriminals see a new opportunity and create new threats based on exploitation of vulnerabilities in IoT devices.”

Ensuring that consumers recognize the risk of connected devices and IoT malware is a problem that even has the U.S. federal government’s attention. On Monday, the Federal Trade Commission added its input to draft guidance on how IoT device manufacturers can better inform consumers about security updates for IoT devices, according to an FTC press release.

Last year, Kaspersky Lab’s collection included 3,219 types of malware. This year, the honeypots, which imitated various devices running Linux and connected to the Internet, yielded 7,242 types of malware. In most cases, the attempted connections used the telnet protocol; the rest used SSH, according to the research. Most of the IP addresses from which attempted connections arrived at the honeypots respond to HTTP requests and typically, there were several devices using each IP address.

The researchers were “surprised by the speed of attackers’ reactions to the emergence of new resources on the Internet,” Makrushin said. For example, some seconds after the team published a new IoT resource, they would see the first attempted connections to the open telnet port.

Researchers also found that there are certain days of the week when there are surges in malicious activity (such as scanning, password attacks, and attempted connections).

“It appears Monday is a difficult day for cybercriminals too,” the researchers wrote. “We couldn’t find any other explanation for this peculiar behavior.”