Malware is becoming increasingly destructive. Below is a short history of this trend, along with steps organizations can take to combat it.
(This byline originally appeared in SC Media as a bylined article.)
We begin with Mirai that, in the summer of 2016, was responsible for the largest DDoS attack in history. It was built using millions of vulnerable IoT devices and then used to bring down a large chunk of the internet. This began a new ransomware trend where, rather than having to break in and encrypt devices without being detected, which could take weeks to accomplish, automated botnets comprised of hijacked IoT devices executed DDoS-based ransom attacks. Swarms of independent yet centrally controlled devices with no designated user, and often with no OS to patch or update, were especially difficult to combat.
However, the security research community predicted that Mirai was not an end in itself but was primarily launched to test the capabilities of swarms of compromised IoT-based devices. This proved to be right.
Mirai’s successor was the Hajime ransomworm. While Mirai was basically a blunt force instrument, Hajime included an impressive set of sophisticated cybertools. It was cross-platform, supported five different platforms, and included a toolkit filled with automated tasks, remotely updatable password lists and the ability to download other malicious code, such as brickerbot.
Designed to stop IoT devices from connecting to the internet, Brickerbot was the first in a new generation of destructive malware. Its goal was to deliver a killing blow to a network rather than simply disrupting it for financial gain. Hajime, as well, was able to identify CPE devices and protocols and then remove the rules that allow a CPE device to talk to its service provider. The potential risk to service providers was millions of devices all going dark simultaneously, with no heartbeat to see, control or manage them.
Then there is Hide ‘N Seek (HNS), an IoT botnet that communicates in a complex and decentralized manner—using custom-built, peer-to-peer communication—to implement a variety of malicious routines. While it initially targeted routers, IP cameras and DVRs, HNS now also targets cross-platform database solutions and smart home devices.
HNS was able to evolve this way largely due to the open source Mirai code that is available to malware developers. Getting its inspiration from as well as copying some code from Mirai, HNS has created a new identity for itself.
Reaper changed the binary nature of most malware. While it was built using some of Mirai’s original code, it had also been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors. More concerning, it was also built using an embedded programming language that enabled it to be remotely updated to enhance attack options as needed rather than having all attacks pre-loaded into the malware.
Another recent innovation was found in the VPNFilter malware. VPNFilter includes a kill command that disables a device by deleting all file systems and then rebooting the device, rendering it completely inoperable. Affected devices actually have to be replaced. Even worse, its self-destruct mode can be triggered across all infected devices simultaneously with a single command. To date, over a million devices have been compromised by this malware. Triggering this sort of self-destruct mechanism could potentially result in widespread internet outage or networks collapsing.
It is extremely difficult to defend against a swarm of compromised IoT devices that not only can learn and adapt but are also programmed to ultimately destroy the devices they infect. And marshaling them together to engage in massive attacks would almost certainly bring a considerable segment of the digital economy to a grinding halt.
Thankfully, organizations are not without recourse. Here are five things you can do right now to prepare to defend your organization.
The current evolutionary process will soon bring malware designed with adaptive, success-based learning to improve the efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and then make calculated decisions about what to do next. As cyberwarfar escalates, organizations will need to fight automation with automation and deploy integrated expert security systems that can automatically collect, correlate, share and respond to threats in a coordinated fashion. The steps listed above will help you detect and defeat sophisticated malware botnets and keep your business and reputation intact.
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.