Description: It has been several years since Mirai, malware that infects IoT devices, appeared. Observation data from TSUBAME, an Internet threat monitoring system operated by JPCERT/CC, shows that variants of Mirai and other types of malware have been used since then, making the situation surrounding IoT devices even worse. Receiving incident reports from ISPs and Internet users, JPCERT/CC conducts assessments, investigations, and coordination, and a number of malware-infected routers, security cameras, DVRs, and other devices are identified on a daily basis.
To infect IoT devices with such malware, attackers first compromise them, and targeting the Web-UI authentication with its default setting or bypassing authentication by exploiting vulnerabilities are the commonly used methods. After breaking into the targeted device, the attacker injects the malware into the device. Through our investigation, we have learned that DDNS service for IoT devices are exploited for malware infection in some cases.
When businesses use IoT devices for security reason, such as surveillance cameras, they need to remotely monitor and check the status of the devices, and for that purpose, DDNS service is enabled. In such cases, attackers may compromise the DDNS service setting and make the devices connect to a server managed by them. Furthermore, we have newly found the cases where the domain names designated by manufacturers for their DDNS services are not properly managed due to the discontinuation of the businesses. In such cases, we cannot rule out the possibility that attackers hijack the domains.
In this presentation, I will describe the current situation of Mirai and recent other types of malware infecting IoT devices, sharing actual incident cases. In addition, I will also discuss how we could address the issue of such ever-expanding botnets for future.
Presented by: Shoko Nakai