Attacks Targeting IoT Devices and Windows SMB More Than Triple in H12019

  • F-Secure reports almost 3 bIllion attacks against honeypot servers in first six months of 2019
  • Rampant exploitation of IoT devices via Telnet and UPnP revealed
  • China tops the list in term of attack traffic volume, followed by US, Russia, Germany. India is ranked as a new entrant at 10th

Attacks targeting Windows systems running an unpatched version of SMB_v1 and internet of things (IoT) devices are escalating, cybersecurity firm F-Secure warn in a new report.

Growth in the number of infected IoT devices, the prevalence of Eternal Blue, and increasing numbers of DDoS attacks, are identified as the main factors driving the attack traffic.

F-Secure says its network of honeypots – decoy servers that allow researchers to gauge trends and patterns in the global cyber-attack landscape – recorded 2.9 billion attacks in the first half of this year. This is more than triple the attack traffic recorded during the same period last year, which was just 231 million.

Top 10 list of attack source countries for H1 2019

The greatest traffic volume is recorded from China with 702 million attacks coming from the Chinese IP space, followed by US, Russia, Germany.

India is a new entrant at the 10th spot, with 44 million attacks. Philippines, Brazil and Armenia are also newcomers.

Meanwhile, the US heads the list of top attack destinations

“The majority of these attacks are instigated by cyber criminals who are carrying out DDoS attacks and sending malware for financial gain,” the report notes.

Most common ports targeted by attackers

Of the 2.9 billion attacks, 2.1 billion targeted TCP ports. Of these, more than 760 million attacks – or 26 percent – targeted telnet, which is mostly used by IoT devices.  The greatest share of Telnet traffic came from the US IP space, followed by Germany, UK and the Netherlands.

Traffic to port 445 was the next most prevalent with 556 million attempted exploits by attackers, representing SMB worms and exploits such as Eternal Blue. “Since its debut during WannaCry over two years ago, Eternal Blue continues to be used by criminals, and it’s currently at the height of its popularity,” the F-Secure researchers write.

Apart from TCP traffic, majority of the remaining traffic came from UPD port 1900, with 611 million hits. 1900 is commonly used for scanning to determine if the target is running UPnP, or plug-and-play devices, which are used for exploitation or in DDoS attacks.

Attacks targeting SSH accounted for 456 million attacks. They mainly involve “brute-force password attempts to gain remote access to a machine, but also IoT malware,” F-Secure says.

Evolving trends in the malware sphere   

Malware found in the honeypots is dominated by various versions of Mirai, which is still going strong three years after it first burst onto the scene in 2016. Mirai targets IoT devices such as IP cameras and routers, infects those using default credentials, and co-opts them into botnet armies.

The report raises concerns that Mirai has recently spawned variants that are specifically engineered to infect enterprise IoT devices such as wireless presentation systems and digital signage TVs.

At the actual customer endpoints, F-Secure finds that the main types of malware are still ransomware, banking trojans and cryptominers.

The researchers also saw some evolving trends in the malware sphere in the first half of the year. While ZIP, PDF, DOC and XLS files are the most commonly used attachment type for spreading malware, they noted an increasingly popular trend of attackers employing disc image files (ISO and IMG).

They also observed a trend of financially motivated attackers abusing the trust users put in the digital certificate system by purchasing certificates to sign their executable files.

Researchers also noticed a revival of cryptomining. Cases of Eternal Blue being used to escort in XMRig, a Monero miner, as well as mining infections in Android devices in Asia, are being seen again.

After an apparent lull in 2018, ransomware is back again and has been busy disrupting companies, public entities and other organizations over the past several months, the report reveals.

Tips to avoid cyber attacks

“Following solid security practices and procedures will keep your business on much safer ground,” suggest researchers.

Here are some of the tips to avoid attacks, as suggested by F-secure research team –

  • Map your attack surface. Know what devices and servers you have and why they’re needed.
  • Retire old assets that aren’t necessary.
  • Know what you need to protect most, and guard it. Keep your most critical assets protected with a higher level of security.
  • Keep your systems and applications updated with current software and security patches.
  • Be skeptical of unsolicited, unexpected emails and especially of links or attachments in them.
  • Enforce a password policy of changing default passwords to unique, long and strong passwords, and of never reusing passwords. Encourage employees to use password managers.
  • Monitor your network with detection and response technology to catch malicious actors already in the network.

Honeypot Disclaimer

However, F-Secure’s report carry a disclaimer about the accuracy of the findings, which says, “Because honeypots are decoys not otherwise meant for real world use, an incoming connection registered by a honeypot is either the result of a mistake (someone typing in a wrong IP address, which is rather uncommon) or of the service being found during an attacker’s scans of the network or the internet.”

“99.9% of traffic to our honeypots is automated traffic coming from bots, malware and other tools. Attacks may come from any sort of connected computing device – a traditional computer, malwareinfected smartwatch or IoT toothbrush can be a source,” it adds.