‘Reaper’ is a botnet that uses advanced brute forcing and hacking techniques to break into IoT devices, such as wireless IP cameras and routers that are not properly secured (including weak or default password protection). Hackers are using the pre-set list of modules as well as programs that search for vulnerabilities of IoT devices. Advisory from Beyond security says.
The IoT botnet is able to collect all, compromised IoT devices such as cameras, routers, DVRs, wearables and other embedded technology that is infected with malware. It allows an attacker to control them and carry out tasks just like a traditional PC botnet.
Recently, the Maharashtra Cyber Cell Department has sent out an advisory to inform the public, government departments & corporates about a new botnet named ‘Reaper’ (‘or loTroop’) which is spreading in many countries across the globe.
Last Year, Mirai botnet had broken targeted devices by guessing their ‘admin password’; however, Reaper is using an advanced version of the Mirai’s code to exploit known vulnerabilities and then look for other devices for further spreading the infection. Thus, Reaper is recruiting IoT devices & spreading continuously and has possibilities of a potential distributed denial-of-services(DoS) attack on its predecessor, Mirai. 2
As the IoT devices come with poor security features such as predictable admin credentials and open ports for remote access. Hackers typically compromise these devices via brute force login or inject malware via an open port or vulnerable service. In many cases, hackers leverage these exploits after researchers disclose a vulnerability.
Affected IoT Devices: Reaper begins by scanning for TCP open ports: 80, 8080, 81, 88, 8081, 82, 83, 8060, 10000, 8443, 8880, 3000, 3749, 1080, 84, 8090, 8001 and 1080 and attempts to run execute the exploit included in it’s botnet.
As per the report of Beyond security, the impacted devices are Netgear R7000 RCE, Cisco RV320 and RV325 RCE, TP LINK TL-WR849N RCE, Netlink GPON Router 1.0.11 RCE
Previous, the strains of the Reaper botnet had more than 100 DNS open resolvers embedded in it , and it is highly likely that the botnet will make greater use of these DNS resolvers to amplify the DDoS traffic specially in india where we found a large number of recursion enabled public DNS servers.
It is also capable to do the DNS Amplification Attack, DNS amplification is a reflection based DDoS attack where a attacker or in this case a botnet master instruct's the bot's to make a DNS request to open DNS resolvers with a spoofed IP address of the targeted victim , the target then receives a DNS response from the DNS resolver . In order to create large amounts of traffic the attacker makes DNS requests which are known to create large responses (Ex : an attacker could register a domain and add a large TXT record and could later request DNS records for that domain in the attack) . As a result the target receives the amplification of the initial traffic generated by the botnet.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
