Phishing and ransomware have recently garnered the lion’s share of attention from the media and security professionals, but the latest twist in cyber threats promises to present additional challenges for MSPs who are committed to comprehensively protecting their clients.
In an insightful podcast hosted by IT channel expert Pedro Pereira, Webroot senior threat research analyst Tyler Moffitt was asked to discuss what he considers the most surprising development in 2016’s threat landscape: “Usually I would say something along the lines of ransomware, phishing, malvertising,” Moffitt replies. “But the Mirai source code being released on the Internet of Things is absolutely huge. This is the new frontier...you have to worry about everything.”
As Moffitt explains, “Your IP cameras, your routers, your DVRs can all be used against you.” Unfortunately, this new focus on the Internet of Things (IoT) is just the latest chapter in the evolution of cybercrime targets, expanding from desktop computers, servers, and laptops into the BYOD universe of smartphones and tablets—and, more recently, IoT.
Moffitt goes on to detail just how easy it is for the bad guys to gain access to IoT devices, using routers as an example: “Those of us familiar with routers and how you initially buy and set them up know that you have to log into them through the IP address. Usually you have a default username and password that’s given to you, like ‘admin’ for the username and ‘user’ for the password.
“It’s generic,” he continues, “and it’s there so that when you log in, you can set it up, create your WiFi password, and then hopefully change the password to the actual web router firmware. That’s what you're supposed to do, anyway, not leave it at default. It turns out that tens of millions of people aren’t doing that; they’re leaving it at default.”
This kind of basic human error—all too common among consumers and businesses alike—makes it easy for threats like Mirai to wreak havoc on unsuspecting companies. According to Moffitt, the tactics Mirai employs are surprisingly simple. “Mirai is this little tiny botnet that scans TelNet, a subset of the internet. Everything using TCP/IP protocol—they're all on TelNet.
“What Mirai does is scan TelNet for all these devices,” Moffitt points out. “It only has around 60 or 70 banked default usernames and passwords, and it just brute-force tries to log into these devices using the default list. [The list is] compiled from all the default usernames and passwords from all the vendors. You'd be surprised how many devices Mirai is able to log into.”
A well-known example of Mirai’s destructive power is the October 2016 attack on Dyn, which resulted in a temporary shutdown of Twitter and Netflix. Tens of millions of IoT devices were hacked by Mirai and used for a distributed denial-of-service (DDoS) attack. As a result, the perpetrators were able to harness over a terabyte per second of bandwidth to launch a DDoS on these sites.
Moffitt recalls, “Usually [DDoS attacks] are used with computers, but in this case it was with people’s IP cameras, routers and DVRs. The scary thing is that when these are hacked and turned into a botnet, you don’t really have any idea because they still function as intended. Your router will still send you internet to all the IP addresses you have. Your DVR will still function, no problem, and so will your IP camera.”
A recent attack in Germany shut down 900,000 routers, necessitating that a new patch be released in order to protect the routers that had been given out. Moffitt sighs, “It's definitely something to worry about. We're only going to see it grow from here.”
For MSPs, the lesson is clear: your watchfulness must extend beyond your clients’ obvious hardware vulnerabilities (servers, desktops, laptops, smartphones, etc.) to seemingly innocuous IoT devices, like routers, cameras, DVRs, and the like. Protecting your customers from cybercriminals is an ongoing battle, and the fact of the matter is that the battlefield is constantly shifting. Stay vigilant, MSPs.
Download the 2017 Webroot Threat Report to stay up-to-date on the threat landscape.
Guest blogs such as this one are published monthly and are part of MSPmentor's annual platinum sponsorship.