F-Secure, SonicWall, spot lurking IoT security threats

It will come as no surprise that IoT security is still a shambles, but F-Secure has reason to believe that this year could be a turning point. Elsewhere, SonicWall has spotted a 217.5% increase in IoT attack volume, with the two bits of news suggesting that something has to give – and give fast.

SonicWall found that through 2018, there were 32.7mn IoT attacks detected by its systems. This was up from 10.3mn in 2017, and is attributed to IoT manufacturers not implementing proper security controls. Some 46% of global botnets originate in the US, says SonicWall, with second-place China on just 13%.

However, because of the global reach of these botnets, this is a global problem and not just an American one. These botnets are often made available for hire, to target whatever organization or person that has drawn the ire of angry someone enough for them to pay to point the DDoS cannon at. Of course, some smaller ones are built and controlled for fun, just because someone can. Mirai, the most infamous, grew out of a Minecraft server scam of all things, and now that it has been effectively open-sourced, it is a growing problem.

SonicWall, however, says that most of the DDoS and spam attacks can be blocked using the tools at its disposal. As is the case with many of these cybersecurity reports, the document does a good job at selling SonicWall’s capabilities to the reader, who is likely concerned by the report’s findings.

Away from the IoT, SonicWall notes that phishing attacks have become a lot more complex. “Instead of large, aimless campaigns, cybercriminals launch highly targeted attacks, such as Business Email Compromise (BEC).” To this end, SonicWall says it recorded 26mn phishing attacks in 2018, down 4.1% from the year before – a sign that these targeted attacks are on the rise perhaps.

As for headline figures from SonicWall, it says that 10.52bn malware attacks were blocked in 2018, with 2.8mn of these being encrypted – up 27% in a year, and potentially much trickier to manage. There was an 11% increase in ransomware attacks, a 56% climb in web app attacks, and a total of 3.9tn intrusion attempts.

For F-Secure, in its Old Hacks, New Devices report, the blame is squarely pointed at manufacturers. It notes that threats have been targeting weak passwords for a decade, and that the manufacturers have not caught up. “Weak passwords, known vulnerabilities, updates that rarely or never come. We’ve seen this all before,” said F-Secure Operator Consultant Tom Gaffney. “We’re making the same mistakes we saw in the 90s all over again. Only now, there’s no excuse. We should know better.”

As for scale, F-Secure saw the number of IoT threats double in the past year, from 19 to 38 issues. It says that many of these are using predictable and known techniques – with 87% of them targeting weak credentials and/or unpatched vulnerabilities.

For F-Secure’s honeypot servers, set up to lure in hostile attackers and study them for research purposes, 59% of attacks were targeting Telnet. This is indicative of the spread of Mirai, which burst onto the scene, targeting the legacy communications system that was often left dangerously exposed in default device configurations. The firm argues that the types of new devices that Mirai attacks have no business being visible to the internet.

So, F-Secure argues that history might see 2018 as a turning point, where governments finally woke up to the threat posed by all these exposed devices. When you look at the number of discovered threats, only a single threat was found in 2002, 2008, 2009, and 2011. Then, 2014 sees 3 discovered, 2015 nets 2, 2016 climbs to 5, 2017 stays level at 5, and then you have the explosion in 2018 – the 19 new discoveries.

The report has a great illustration of this timeline, and later outlines how these threats have become increasingly sophisticated. It culminates in a discussion about the expectation that regulation will be brought to bear, finally.

It concludes that connecting PCs together in the 1990s, without ample security, made cybercrime a profitable endeavor, but that today, this is a billion dollar industry. It adds that we seem to be repeating the mistakes of the past, and that deploying massive amounts of computing power without prioritizing security and privacy has created a new target that criminals are just beginning to exploit.

“This requires immediate action by manufacturers, regulators and everyone responsible for connecting people to the internet. Because when these threats turn our technologies against us, no one can say that we weren’t warned.”