Reaper- Is Your Network Secured Against This New IoT Botnet?

Koby Meir

Reaper- Is Your Network Secured Against This New IoT Botnet?

Koby Meir

Share:

Share on linkedin
Share on facebook
Share on twitter
One year ago, an army of devices infected with Mirai malware amassed into a botnet that caused some of the largest DDoS attacks to date. The attacks targeted, among others, the major DNS provider Dyn and the website of Brian Krebs, a well-known investigative reporter who covers information security and cyber crime.
 
At the attack’s peak, the traffic on Krebs’ website reached 620 Gbit/s and surpassed 1 Tbit/s on Dyn’s servers.
Those attacks caused major services such as GitHub, Netflix, and Airbnb to be unavailable to users in Europe and North America for prolonged periods of time.
 
This week, security researchers are sounding the alarm that a malware more advanced than Mirai is affecting IoT devices on a scale that is greater than the one Mirai operated on. According to teams in the Israeli firm Check Point and the Chinese firm Netlab 360, the new worm–named IoT_reaperIoTroop, or simply Reaper–is a powerful malware that borrows code from Mirai but extends and expands the latter’s capabilities. It’s estimated that over a million organizations have already been infected. The threat has not been activated yet and is still in an active phase of spreading.
Reposify -distribution of vulnerable devices

According to our data, the countries most vulnerable to IoT reaper by distribution of number of devices are South Korea, Brazil and the United States. 

This new threat deserves our attention for a number of reasons. Unlike Mirai, Reaper does not attempt to crack the passwords of devices it targets, such as webcams and routers, but rather to exploit known vulnerabilities. Some of those vulnerabilities are fresh and were disclosed as recently as a few days ago. The list of susceptible devices includes models by some well-known vendors such as D-Link, TP-Link, and NETGEAR, as well as devices running the ubiquitous embedded web server GoAhead. Another point of concern is the inclusion of a built-in Lua (an interpreted scripting language designed for embedded systems) execution environment, allowing for powerful and complex attacks. 

Here at Reposify, we are in a unique position to truly appreciate the full potential of Reaper. As a company whose business is to understand IoT devices and digital assets worldwide, we have come up with a tool helping users to assess their own networks by checking their source IP. 

Regardless of the sophistication and spread of Reaper, we hope the tools and knowledge shared here with the security community will help to mitigate and contain the attack when it strikes.

References

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/https://research.checkpoint.com/new-iot-botnet-storm-coming/https://research.checkpoint.com/iotroop-botnet-full-investigation/https://en.wikipedia.org/wiki/2016_Dyn_cyberattackhttps://en.wikipedia.org/wiki/Mirai_(malware)

Koby Meir

Koby Meir is an expert software engineer with close to two decades of experience. Koby has a diverse and well-rounded background ranging from assembly to complex web applications written in Python. Prior to founding Reposify, Koby led various software development and devops teams at both mid-size and international corporations including Conduit, Ajilion and Elbit Systems. Koby is an alumnus of the IDF’s elite C4I Corps where he served for over four years as an embedded system developer and team leader.

Share:

Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Why Only EASM can provide the protection necessary to guard against RCE threat

In April, VMware issued a series of patches to guard against vulnerabilities in a number of products. Among the most critical is CVE-2022-22954, a remote code execution RCE threat that puts organizations at risk of cyber attack. Only EASM can provide thorough cybersecurity protection against remote code execution hacks, with real-time asset monitoring and identification and clear, actionable insights for immediate intervention.

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.