Unsecured IoT Devices Create Targets of Opportunity for Growing Botnets

This week, three newly discovered botnets were added to the NJCCIC Botnet Threat Profile, two of which – Fast Flux and Reaper – exploit unpatched and unsecured internet-connected devices. Fast Flux, a multi-purpose botnet currently comprised of approximately 14,000 IP addresses, creates its network of command-and-control (C2) servers by exploiting devices that have TCP port 7547 open and exposed to the internet. This port is typically used by internet service providers (ISPs) to remotely connect to their customers’ routers. Reaper, a much larger and rapidly growing botnet comprised of nearly two million devices, targets open and unsecured IP cameras, network video recorders (NVRs), and digital video recorders (DVRs). Many IP cameras allow a remote connection over port 81, and commonly used remote access ports for routers, NVRs, and DVRs include 80, 82, 443, 37777, 4567, 8080, and 8090. These devices are also typically shipped to customers with default login credentials, which can easily be located online. Using Shodan, the search engine for the internet-of-things (IoT), and excluding results for ports 80 and 443, the NJCCIC determined that there are over half a million devices within the State of New Jersey that have the previously mentioned ports open and exposed to the internet. This exposure creates a considerable security risk for these devices as malicious actors could potentially brute-force the login credentials, gain administrative access, replace the firmware with malware, and use the devices to conduct various types of attacks against other victims. The NJCCIC assesses with high confidence that IoT devices exposed via commonly used ports and have default or no login credentials are at an increased risk of compromise by malicious actors. We recommend performing a network audit to determine which devices and ports are exposed to the internet and closing any unneeded ports. Change the default passwords to all devices such as IP cameras, routers, NVRs and DVRs, creating lengthy and unique passwords for each, and implement a multi-factor authentication solution, if possible. Lastly, keep all devices updated with the latest patches and firmware. If you suspect a device has already been compromised, perform a reboot, reset the device to its factory-default settings, and change the login credentials before returning it to use. More information and strategies to prevent and mitigate potential IoT compromise is available on the NJCCIC Botnet Threat Profile.