If the Reaper IoT botnet is a time bomb, what’s the target?

The architects of the latest botnet are weaponizing known security vulnerabilities in IoT devices.

Brian Buntz

October 26, 2017

3 Min Read
A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with blue internet of things icons 3
Grid of black cpus with different iot symbols in white and one shining red hacker icon cybersecurity concept 3D illustrationThinkstock

IoT fueled-botnets are a bit like the hacking equivalent of a homemade bomb. They are relatively simple to make yet can cause immense damage when leveraged for distributed denial-of-service attacks (DDoS), as last year’s Mirai botnet illustrated. “DDoS is probably the absolute simplest thing you could possibly do with such power in your hands,” said Nadir Izrael, CTO of the IoT security startup Armis.

But while Mirai was able to overwhelm networks owned by internet giants such as Amazon, Twitter, Netflix and others, a new IoT botnet, known alternately as Reaper or IoTroop, could be many times stronger. Early reports suggest that the botnet has already hit more than 1 million organizations and that more than 2 million IoT devices are waiting in the queue of the botnet's command and control servers.  

“In any case, 2 million is a staggering number,” said Izrael. “Reaper is not the only botnet around, but, probably, it is the biggest that has been detected so far.”

It’s not yet clear, however, how the botnet might be used — whether it will be used to fuel a DDoS attack, corporate network surveillance or as an anonymity network to help hackers hide their tracks.

The sheer scale of the botnet is evidence that the hackers behind the attack are likely a coordinated bunch, said Peter Tran, general manager and senior director at RSA Security. While the botnet leverages code from Mirai and other malware sources in a crowd-sourced-like fashion, its method of recruiting IoT devices by leveraging common vulnerabilities such as CVE-2017–8225 is efficient and nimble. 

While attribution is notoriously difficult for cyberattacks, the Reaper botnet represents an evolution of sorts over Mirai. Its modus operandi is more sophisticated. Rather than simply looking for weak or default telnet passwords, it seeks to exploit an evolving list of vulnerabilities in IP cameras, digital video recorders and network video recorders.

While the botnet may work differently than Mirai, the range of device types that Reaper targets is similar. “The reason that DVRs and IP cameras keep coming up in botnets is that they have a need for direct network access and they are usually running a very old operating system. It could be an old version of Android, but it is mostly [an outdated] version of Linux,” Izrael said. “You would be amazed at how many devices from prominent manufacturers are running ancient operating systems, and they rarely, if ever, get patched. If this happens with mainstay devices, you can imagine what happens with DVR and IP cameras from second-tier companies.”

It just so happens that many of the affected devices are used in commercial settings. “It is sort of a misconception that this is a consumer problem,” Izrael noted.

Ultimately, the two most worrisome aspects of Reaper are that it suggests that the state of IoT security has barely budged since a year ago when Mirai struck and the fact that such botnets are difficult to detect. “The Mirai spurred board-level discussions around [whether] organizations would even know if one of their networked devices had been recruited into the botnet,” Izrael said. “If I were to tell you that a smart thermostat in an organization is transferring 1 GB of data outbound to a cloud environment, would you know if that is normal or not? Most people have no idea if that would be a normal operation or not. Even companies with entire security teams that are very capable are still struggling with questions like that.”

About the Author(s)

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like