One year ago, an army of devices infected with Mirai malware amassed into a botnet that caused some of the largest DDoS attacks to date. The attacks targeted, among others, the major DNS provider Dyn and the website of Brian Krebs, a well-known investigative reporter who covers information security and cyber crime.
At the attack’s peak, the traffic on Krebs’ website reached 620 Gbit/s and surpassed 1 Tbit/s on Dyn’s servers.
Those attacks caused major services such as GitHub, Netflix, and Airbnb to be unavailable to users in Europe and North America for prolonged periods of time.
This week, security researchers are sounding the alarm that a malware more advanced than Mirai is affecting IoT devices on a scale that is greater than the one Mirai operated on. According to teams in the Israeli firm Check Point and the Chinese firm Netlab 360, the new worm–named IoT_reaper, IoTroop, or simply Reaper–is a powerful malware that borrows code from Mirai but extends and expands the latter’s capabilities. It’s estimated that over a million organizations have already been infected. The threat has not been activated yet and is still in an active phase of spreading.
According to our data, the countries most vulnerable to IoT reaper by distribution of number of devices are South Korea, Brazil and the United States.
This new threat deserves our attention for a number of reasons. Unlike Mirai, Reaper does not attempt to crack the passwords of devices it targets, such as webcams and routers, but rather to exploit known vulnerabilities. Some of those vulnerabilities are fresh and were disclosed as recently as a few days ago. The list of susceptible devices includes models by some well-known vendors such as D-Link, TP-Link, and NETGEAR, as well as devices running the ubiquitous embedded web server GoAhead.
Another point of concern is the inclusion of a built-in Lua (an interpreted scripting language designed for embedded systems) execution environment, allowing for powerful and complex attacks.
Here at Reposify, we are in a unique position to truly appreciate the full potential of Reaper. As a company whose business is to understand IoT devices and digital assets worldwide, we have come up with a tool helping users to assess their own networks by checking their source IP.
Regardless of the sophistication and spread of Reaper, we hope the tools and knowledge shared here with the security community will help to mitigate and contain the attack when it strikes.