According to Netlab, a new IoT botnet, that dwarfs last year’s Mirai attack, is building. Reaper takes advantage of nine different vulnerabilities and over 100 DNS open resolvers to take over IoT devices and launch attacks. Although the botnet hasn’t been deployed in a major attack yet, it is building .
Unlike Mirai, which took devices over by breaking weak passwords, Reaper doesn’t bother with that, just diving straight into devices from Netgear, dlink, Linksys and others by exploiting known vulnerabilities. The number of exploits it uses is expanding, with Netlab saying Reaper’s creators are finding and adding new exploits regularly. The researchers say the “author will be able to write very complex and efficient attack scripts now” as a result of the development effort they have put into Reaper.
CheckPoint says over a million organisations have already been infected, with Australian systems already hit. Netlab says the number is closer to two million and says thousands of those devices have already been taken over and controlled – presumably in some sort of test run for broader attack.
And, like the recent WannaCry and NotPetya attacks, Reaper is self-spreading so once it enters a network it seeks out vulnerable targets and infects those without direct intervention by the malware developer.
Last year’s Mirai attack caused significant disruption, taking out tens of thousands of websites when DNS provider Dyn was pummelled in a massive DDoS attack.
As always, the first defence against attacks like this is to ensure all your firmware is up-to-date and that any devices that may be vulnerable but can’t be updated are air-gapped or protected in some other way. Monitoring traffic in and out of your network is critical. With botnets like Reaper, you may not be the target, but your network and devices can be exploited by bad actors if they are left in a vulnerable state.