As the Internet grows, so does individuals’ and organizations’ reliance on it. An organization’s website has become the primary means by which an organization interacts with its customer base. As a result, attackers are increasingly targeting organizations’ web presences as a way to hurt them. Some attackers have even begun launching ransom Distributed Denial of Service (DDoS) attacks, denying organizations access to their websites until they pay to have that access restored.
However, pulling off this type of attack requires resources. As defenses against DDoS attacks improve, hackers need more resources at their disposal to pose a significant threat to an organization. One way that they are accomplishing this is through botnet malware like Echobot.
Echobot is one of many different malware variants that target vulnerable Internet of Things (IoT) devices and collect them into botnets. These botnets are then used to perform the next stage of the hacker’s planned cyberattack, most often DDoS attacks. As a result, the need for organizations to deploy defenses against these types of attack, like a strong Web Application Firewall (WAF) continues to grow as more and more organizations are targeted by these attacks.
The IoT Threat Landscape
The growth of the Internet of Things has had a significant impact on the face of the Internet. While these devices are designed to make life more convenient for their users, they also have their downsides.
IoT devices generally have poor security. While traditional computers are designed to be as secure as possible by design and benefit from frequent security updates, the same is not true of IoT devices. As a result, IoT devices are easily compromised (as demonstrated by the Mirai botnet, which simply logged into devices using default usernames and passwords), which has significant impacts on the security of both their owners and those who are targeted by the attackers using the compromised devices in later attacks.
The exploitability of IoT devices is exemplified by the Echobot malware. Echobot is malware derived from the Mirai botnet malware, whose source code was leaked, allowing hackers to modify it to suit their purposes.
The Echobot malware was first discovered in May 2019, when it had 18 exploits coded in to take advantage of publicly-known vulnerabilities. By August 2019, the number of exploits had grown to 61.
The number of exploits used by Echobot doesn’t represent the work of a master hacker taking advantage of years of research spent searching for zero-day vulnerabilities. Every exploit used in Echobot is available from public repositories, meaning that patches for the vulnerabilities are likely publicly available.
The fact that Echobot is an effective malware variant underscores the vulnerability of the IoT ecosystem. Not only are these devices prone to vulnerabilities by design, these vulnerabilities are often not patched by their owners after discovery. As a result, a large amount of computing power is available to hackers forming botnets in order to launch cyberattacks.
The Threat of IoT
Botnets composed of Internet of Things devices can be used for a variety of different attacks. However, the vast majority of attacks by botnets are Distributed Denial of Service (DDoS) attacks. In fact, the increase in DDoS attack number and intensity is attributed to the growth of botnets taking advantage of insecure IoT devices.
Compromised IoT devices are used for DDoS attacks for a variety of reasons. One, which applies to the Echobot malware, is the ease of creating botnet malware for this purpose. As a Mirai derivative, Echobot has all of the code built in for creating a botnet for performing DDoS attacks. Botnet herders taking advantage of the leaked Mirai source code only have to make minor modifications, like adding new exploit vectors and command and control information, in order to make the malware operational once again.
IoT botnets are also used for DDoS attacks because they are ideally suited to this type of attack, and DDoS attacks have become profitable for hackers. A DDoS attack only requires that the hacker have access to a large pool of computational resources (like a collection of compromised devices). The growth of the IoT and cloud computing have made this easy to acquire, enabling attackers to start offering DDoS attacks for hire at approachable prices. As a result, the number of organizations that can be targeted by these DDoS attacks has increased dramatically since a dissatisfied customer or a disgruntled employee can turn to a DDoS attack to get revenge for a perceived slight.
Protecting Your Network
The Echobot malware is just one example of the growing threat that organizations are facing with the growth of the Internet of Things. As the number of insecure IoT devices grows, they are increasingly being compromised and co-opted by hackers gathering them into botnets. Once a botnet is formed, it can be used in Distributed Denial of Service attacks to take down an organization’s web presence, negatively impacting the organization’s ability to interact with its customers.
As the IoT and DDoS threat grows, organizations need to take additional steps to protect themselves. This involves taking the steps necessary to defend against common attack vectors against web applications (like those listed on the OWASP Top Ten) and against DDoS attacks. Deploying a strong web application firewall is an important component of this strategy and can help to protect an organization against the attacks launched by these compromised IoT devices.