By Stephen Hilt, Vladimir Kropotov, Fernando Mercês, Mayra Rosario, and David Sancho
In our paper “The Internet of Things in the Cybercrime Underground,” we looked into IoT-related discussions from several cybercrime underground communities. We found discussions ranging from tutorials to actual monetization schemes for IoT-related attacks. Unsurprisingly, exposed devices and vulnerabilities were of great interest to the underground communities in their search for possible attack opportunities. For this entry, we provide an overview of what cybercriminals see as perfect openings for attacks on IoT technologies.
For our research, we identified five cybercrime underground communities based on the language used in the forums. Starting with the group with the greatest activity and most sophisticated discussions, these are Russian, Portuguese, English, Arabic, and Spanish.
The Russian underground holds the most dynamic discussions on IoT-related attacks. In this community, cybercriminals often post ads for services or information that they are willing to pay for — and one example of these are vulnerabilities. As seen in the image below, a cybercriminal is offering to pay for vulnerability discoveries in any IoT device.
Figure 1. A user asking for exploitable vulnerabilities in IoT devices
Monetization is the focus in this community and posts about less common devices show an exploration of new opportunities. For example, smart meters and gas pumps were also talked about, but only modified physical versions were being offered.
The second most active underground community that we found was the Portuguese. The highlight of our findings in this community included a discussion on a criminal service that takes advantage of router infections, which they call “KL DNS.” It’s a redirection service that allows phishers to capture banking information, among others. What is of interest about this service is that it could be monetizing a previous mass infection of routers in Brazil in 2018, which exploited a vulnerability in MikroTik routers. Cybercriminals could be on the lookout for opportunities to launch attacks of the same magnitude.
Posts on the English hacking community are more curiosity based than criminal in nature, with tutorials such as this one for exploiting vulnerabilities. As seen in Figure 2, there are forum discussions on how to exploit CVE-2017-5521, a vulnerability in certain Netgear routers that could expose password credentials. Aside from tutorials, the English underground discussions also contained actual exploit codes.
Figure 2. Tutorial on how to exploit a security vulnerability of routers from a particular brand
The English underground also displayed particular interest in exploiting connected printers, likely because of their ubiquity in industrial and office environments, which makes them potential entry points.
Aside from the devices and vulnerabilities themselves, cybercriminals frequenting the English underground also showed an interest in discovery tools. Most mentions of discovery tools were for routers, though of note was a forum post that talked about “aztarna,” an automated discovery tool for industrial robots.
The Arabic underground, meanwhile, was much less aggressive compared to the other groups. However, cybercriminals in this forum still expressed their interest for IoT vulnerabilities by sharing news on recent discoveries.
Figure 3. A discussion on a zero-day exploit for Linksys routers
Finally, of interest in the Spanish underground community were methods for finding unprotected or unauthenticated devices that could be entry points for new attacks. An example of this is a discussion on how to use Google dork to find unprotected industrial refrigerators. The Spanish underground community even produced a software that allegedly could find specific devices using canned Shodan searches (see Figure 4). The tool is called “Simple Active Bot,” and the seller claims it can allow remote access to the devices it finds. Given we cannot test the effectivity of such a piece of software, there’s a possibility that it could be a scam. The seller was also offering it in the English forums.
Figure 4. Forum post offering “Simple Active Bot” to automate device discovery using Shodan canned searches
Conclusion and security recommendations
Overall, our findings indicate that, at present, cybercriminals from different underground communities are in the process of refining attacks against IoT devices. Although monetization schemes for IoT-related attacks are not yet in place for many of the cybercriminal underground communities, the interest we found is headed in that direction. An opportune opening and a profitable business model are what it takes for a major IoT attack to materialize.
The fact that cybercriminals are on the prowl for IoT-related opportunities, from new devices to vulnerabilities, drives home the point that strong security measures should begin from the design phase and continue in the device deployment phase. Vulnerability management for different IoT devices plays a crucial role in minimizing attack openings.
For users and integrators, visibility is key to gaining proper control over the many devices that they have deployed in their respective IoT environments. In addition, a good security posture involves prudence in deciding which devices need to be connected to the public internet and securing them accordingly. In this regard, there are cybersecurity solutions that provide better visibility as well as offer a stronger defense against possible threats.
Users can take advantage of the Trend Micro™ Home Network Security tool, which offers both visibility and protection against network threats. Organizations can opt for the Trend Micro Deep Security™ solution, which offers security for physical, virtual, cloud, and hybrid environments and features virtual patching for vulnerabilities.
Updated at 12:00 PM EDT, September 12, 2019, to more accurately describe certain forums.