Time to prepare for Reaper botnet is now
Time to prepare for this botnet is now
Cybersecurity

Reaper botnet: how ISPs and Telcos can protect home users?

75.4 billion connected devices will be online by 2025. The critical problem with smart devices is that they are not secure by design. Most Internet of Things (IoT) gadgets in the automated homes are unprotected against hacking, phishing, unauthorized access, and malware. One of the threats that recently made the headlines is the Reaper botnet.

28 000 to 1 million devices enlisted

A new Internet of Things Botnet (also known as IoTReaper/IoTroop) has many common patterns to the Mirai Botnet that impacted a lot of services in January 2017. According to various reports, the Reaper is estimated to have compromised between 28 000 – 1 million devices worldwide. An additional 2 millions of IoT devices are in a queue and can be compromised soon.

This botnet is spreading rapidly, recruiting around up to ~10k vulnerable IoT devices per day. The list includes home routers, IP wireless cameras, and other smart home devices.

At the moment, no attacks have been monitored by global security community and CUJO Cyber Defense Intelligence.

There is an assumption that an attack size originating from such botnet could be 20Tbs. However, this figure remains theoretical without more information. We still need to know more about the attack profiles and Modus Operandi (MO) of the possible criminal group.

Mirai in 2016 has enlisted over 100 000 vulnerable IoT devices. Once it attacked, it disrupted the service for 900 000 clients of Deutsche Telekom, 2 400 TalkTalk routers users and brought down DNS service provider Dyn.

If Mirai could do so much damage with only 100 000, what could Reaper do with 2 million devices?

What could be the impact for businesses?

Botnets such as Mirai are made up mainly of Internet-enabled digital video recorders (DVRs), surveillance cameras, and other IoT devices. These gadgets are manufactured by D-Link, Go ahead, JARS, Netgear, Vacron, Linksys, and AVTECH. All of them can be utilized by attackers to launch multiple high-impact DDoS attacks against various Internet services.

There is a possibility for the botnet’s malicious capability to be used for ransom-driven DDoS attacks, as the general size and scale of such attack would have the ability to bring down the majority of online services.

This type of attack provides criminals with the possibility to launch DDoS attacks against specific targets in exchange for monetary ransom. Mirai was used to turn connected devices running Linux into remotely controlled ‘bots’, that can be used as part of the attack infrastructure in large-scale network attack.

IoTReaper follows a similar strategy as Mirai (which was used to recruit Linux based devices into remotely controlled bots). In addition to that, IoTReaper has more advanced methods embedded into its code. It uses hacking techniques (i.e., password cracking software and other malicious pieces of customized malware) to be more efficient in growing army of the bots.

The losses, related to DDoS attacks, can be vast. The average attack of DDoS attack for an enterprise is estimated to cost around $2.5 million. Businesses are more willing to pay the ransom than to face the aftermath of a DDoS attack. Even a threat of a DDoS attack can land the hackers $100 000.

How can CUJO AI protect against the Reaper?

Internet Service Providers and Telcos are standing in a unique position. Through home LAN gateways they can deploy cybersecurity solutions to protect home users from losing their devices. They can help home users to protect their privacy, personal and financial information in the process.

One of the main advantages of this nascent IoT botnet is its ability to recruit a massive amount of vulnerable IoT devices. Such services as Shodan.io are convenient among criminal groups to identify potentially sensitive pools of IoT devices across the globe and exploit them.

CUJO AI cloud security controls provides Remote Access, Device Behavioral Analytics, and Real-Time Threat Intelligence features. It’s a practical countermeasure in early attack stages. It would prevent actual successful Reconnaissance or Delivery and Exploitation phases of the attack, targeted towards unsecured and vulnerable Home Consumer IoT devices.

With embedded CUJO cloud security controls into their routers, ISPs could provide an additional layer of security for the whole home consumer IoT ecosystems. It would be a sufficient countermeasure in slowing down IoT botnet recruitment phases and evolution.

Read more about how ISPs and Telcos should handle cybersecurity in my previous blog post.

Find out more in our security platform page.