The next cyber hurricane is about to come

It has been exactly a year since “Mirai” botnet wreaked havoc by bringing down and holding down the DynDNS services long enough for the Internet’s DNS caches to expire and render many DYN-serviced websites inaccessible bringing down major websites.

In the past month, we have discovered a gigantic IoT (Internet of Things) botnet that has grown in the shadows of the internet, and it dwarfs Mirai in size and devastation. This newly discovered botnet named either “IoT Reaper” or “IoTroop” is spreading rapidly across the Internet by scanning for exploitable and unpatched vulnerabilities in popular routers, cameras, and network video recorders by major brand manufacturers:

  • Dlink (routers)
  • Netgear (routers)
  • Linksys (routers)
  • Microtic (Routers)
  • TP-Link (Routers)
  • Synology (NAS)
  • Linux servers
  • Go ahead (cameras)
  • JAWS (cameras)
  • AVTECH (cameras)
  • Vacron (NVR)

Two teams of researchers who have been monitoring and reverse-engineering the botnet’s operation believe that this latest “IoT Reaper” malware has already infected nearly two million devices and is growing continuously at the extraordinary rate of 10,000 new devices per day!

To put the attack power of this into perspective, Mirai was able to take DynDNS down with approximately 100,000 devices. The new botnet currently has two million infected devices and is growing at a rate of 10.000 per day! 

Among these infected devices are at least 100,000 enterprises whose internal security is entirely at risk. The malware also integrates a full LUA execution environment, allowing the author to write very complex and efficient attack scripts.

Research suggests we are now experiencing the calm before an even more powerful storm. No one knows who created this and why, but the DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second.

The next cyber hurricane is about to come!


Oct 31, 2017 Update

Reports on the “size” of Reaper vary. So far they have scanned 750,000 unique devices that match the nine vulnerabilities currently exploited by Reaper, adding 85,000 new, “Reaper-compatible” devices per day. We don’t know which of them are infected, but there’s no reason that Reaper itself couldn’t infect them unless its authors didn’t want it to.

If the thingbot authors were to include a few dozen existing vulnerabilities that fit Reaper’s device-targeting profile, it could grow the thingbot by an additional 2.75 million nodes. If they wanted to.

Adding the 2.75 million to the 750,000 that are currently “Reaper-compatible” gives the number 3.5 million potential thingbots

The intentions of Reaper are as unclear today as they were a week ago. The most interesting aspect of Reaper is not its current size, but its engineering, and therefore its potential. The most curious fact is in how Reaper is spreading. Instead of targeting weak auth like a common thingbot, Reaper weaponizes nine (and counting) different IoT vulnerabilities.

Currently it feels like its authors are experimenting. Building and testing. Maybe Reaper is pure research.

So far, Reaper hasn’t been seen attacking anyone with massive volumetric DDoS attacks. If Reaper were to being used as virtual EMP Bomb, it would also result in active takedown campaigns before it can grow to its maximum potential. If Reaper starts attacking people with DDoS, it will turn from a marvel of thingbot infrastructure engineering into another volumetric attack tool that would be hunted down by law enforcement and disarmed.

To me, it feels like IoT Reaper is preparing for a much more significant task than "just" anouther DDoS attack.