In most circumstances, anything numbering in the billions is difficult to comprehend. It’s an abstractly huge volume normally reserved for the global population or the gross domestic products of mid-sized economies.
It’s also the scale of cyberattacks that hit our global honeypots in the first half of this year.
The data from our honeypot network is compiled into our Attack Landscape report, and the latest report, covering the first half of 2019, revealed several alarming trends. For the first time, the number of attacks recorded by the honeypots exceeded one billion. In fact, the volume rocketed all the way up to 2.9 billion – more than twelve times as many as the first half of 2019.
One of the biggest factors has been a snowballing number of compromised internet of things (IoT) devices, combined with the prevalent use of tools such as Mirai and Eternal Blue, which make it possible to rapidly spread infections across networks. This should serve as a warning for all organisations to ensure that any IoT devices connected to their networks are secured against being used as an attack vector.
IoT – an attacker’s dream target
The quantity of connected devices has grown exponentially in recent years, with the total number predicted to exceed 38 billion in the next 12 months. The IoT has proven to be hugely useful for everything from consumer gadgets to industrial sensors, but the skyrocketing number of devices has also provided threat actors with an incredibly powerful tool for launching attacks.
The NCSC’s 2019 Annual Review shone the spotlight on both the benefits and challenges presented by connected technology. The report pointed out that the proliferation of devices presents a risk of leaving security considerations behind, but also discussed the opportunity to implement a standardised ‘Secure by Design’ approach for IoT enabled devices moving forwards.
At present, however, the majority of IoT devices tend to be poorly secured, often operating with outdated software or using default security credentials which makes hacking them child’s play. At the same time, it’s become steadily easier and cheaper for criminals to acquire tools that enable them to launch high-volume, low-sophistication attacks that are ideally suited for compromising large numbers of poorly secured devices. Indeed, 99.9% of the traffic picked up by our honeypots is automated, coming from bots, malware and other tools.
As well as being easy prey for these automated attacks, connected devices are also ideal targets to turn into bots for use in further campaigns. While threat actors still make ready use of compromised traditional computers, their bot armies are now increasingly composed of IoT devices ranging from industrial sensors to smart watches and connected toothbrushes. These bots can lend their numbers to attack strategies such as overwhelming a target’s servers in a DDoS attack.
IoT cyberattacks: What tools are attackers using?
A powerful indicator of just how popular a target connected devices have become is that the greatest volume of attacks recorded by our honeypots targeted Telnet, an application protocol that rarely sees much use outside of IoT devices these days.
Likewise, the malware found in the honeypots was largely comprised of variations on Mirai, a malware that targets IoT devices. Despite first appearing in 2016, Mirai has continued to be a dominant force, and a worrying new trend has seen criminals develop variations that are specifically engineered to infect enterprise IoT devices. Digital signage monitors, wireless presentation systems and other such devices present attackers with access to greater bandwidth connections than can be achieved through consumer devices, which enables them to launch stronger DDoS attacks.
After Telnet, the heaviest attack traffic was seen targeting port 445, which is used for SMB (server message block), a communication protocol used for governing shared access to files and assets such as printers. An exploit in SMB known as Eternal Blue was central to the infamous WannaCry attack in 2017 and, much like Mirai, criminals have continued to develop variations of Eternal Blue. In fact, if anything it seems to be at the height of its popularity right now.
IoT cybersecurity: How can businesses defend themselves?
It’s certainly alarming to see the number of attacks detected by our honeypot network not only exceed one billion for the first time, but actually jump all the way to nearly three billion over six months. However, the real takeaway for businesses should be the increasing use of low-effort, high-volume attacks targeting IoT devices.
These types of attacks are so prevalent because the vast majority of connected devices are still poorly secured. Although the sheer volume of attacks is intimidating, they are generally easy to defend against with fairly basic security precautions.
First and foremost, organisations need to map their attack surfaces. It is imperative to have a solid idea of what devices and services are on the network and how secure they are. Many IoT devices used by businesses do not need to be publicly accessible, so organizations can prevent these devices from causing problems simply by finding them and putting them behind a firewall. Firms should also assess whether each device is actually necessary and retire any old assets that are no longer required to ensure that they cannot be exploited.
Firms should also ensure that they have a robust process in place for updating software and applying security patches – including any and all connected devices on the network. Automated high-volume attacks count on devices that have been overlooked and allowed to become outdated, so keeping everything up-to-date will secure the network against the majority of threats.
Finally, organisations should equip themselves with the ability to detect unusual activity on their network, including traffic from any connected devices they have installed. This will enable the business to identify attackers that have already infiltrated the network and empower them to eliminate the threat.
While the threat actors have numbers on their side, their quantity over quality approach will not succeed against those businesses that take the time to get the security basics right.