The word botnet usually conjures images of hordes of compromised PCs being used for DDoS attacks or malware operations, but researchers in the Czech Republic has discovered a large network of compromised CCTV cameras, routers, and other embedded devices that’s growing by tens of thousands of devices per day.
Since the end of May, researchers at CZ.NIC, an association of ISPs in the Czech Republic that also operates the Czech CSIRT, have been seeing a huge increase in the number of attacks on its Telnet honeypot, as well as the number of unique IP addresses conducting the attacks. After looking at the data and conducting some analysis on the type of devices that are connecting to the honeypot, the researchers found that a large percentage of the devices hitting the Telnet honeypot are embedded devices that appear to have been compromised.
“These devices often run outdated software which are known to have security holes and an attacker with such knowledge can easily compromise a large number of hosts by a single exploit,” Bedřich Košata of CZ.NIC said in an analysis of the honeypot data.
Using Shodan, the researchers looked at more than 1.8 million unique IP addresses that had hit the honeypot to determine the kind of devices they were and some other information. They discovered that many of the devices were running older software that was known to have security issues. Among the devices connecting to the Telnet honeypot were IP-enabled security cameras and home routers. The volume of activity from the most commonly seen devices began to increase quickly beginning in May.
“In first place we find the RomPager/4.07 HTTP server, which is an old version of an HTTP server used in many home routers and other embedded devices known for having serious security vulnerabilities in the past. In second place was gSOAP/2.7, which is an older version of a popular toolkit for web services used, again, often in embedded devices. H264DVR 1.0 is an identifier for a RTSP (Real Time Streaming Protocol) server used in online DVR products, such as security cameras, etc.,” Košata said.
“A large proportion of online devices of a specific type are already taken over.”
“From this we can conclude that the rise of Telnet activity is driven by attacks from compromised embedded devices. We could speculate that an attacker was able to target these devices using some known vulnerability and after taking them over, uses them to spread the botnet even further. What is even worse than the number of attacking devices is the trend.”
Embedded devices that are exposed to the Internet often are easy prey for attackers. Many of these devices, including home routers, security cameras, smart TVs, and others, are rarely, if ever, updated. So when a security vulnerability is discovered in the firmware of a given device, attackers can use that information to go after those devices.
“These devices form an easy target as there is usually a “monoculture” of these devices, all having the same setup and same vulnerabilities. It is very likely that an adversary is specifically targeting some of these devices to form a botnet. It even seems that in some cases, a large proportion of online devices of a specific type are already taken over,” Košata said.
“In the course of our investigation, we were able to obtain one “infected” CCTV camera. We were not able to find any obvious malware in its firmware and thus we conclude that the attacks are probably performed remotely without permanent changes to the firmware.”
CZ.NIC has set up a tool that allows people to check the IP addresses of their own devices against the list of devices that hit their honeypot.