CenturyLink threat researchers found a new module of IoT botnet “TheMoon,” which targets vulnerabilities in routers within broadband networks. This previously undocumented module allows the botnet to be leveraged as a service by other attackers.
CenturyLink Threat Research Labs first came across the modular botnet when its team discovered several IoT devices performing credential brute force attacks on multiple websites, according to a report about TheMoon.
Mike Benjamin, head of CenturyLink’s Threat Research Lab, said they witnessed multiple credential stuffing victims while they were monitoring the botnet. He doesn’t want to name the victims, but said “account credentials were successfully used through TheMoon’s proxy environment to access multiple consumer brand websites.”
The research comes as botnets are on the rise — IoT botnet activity represented 78 percent of malware detection events in communication service provider networks in 2018, according to Nokia’s most recent threat report. And these types of attacks will likely become even worse in 2019.
TheMoon targets broadband modems or routers developed by companies including Linksys, ASUS, MikroTik, and D-Link, with the most recent exploit in May 2018 targeting GPON routers.
“They find a way to break into that device, they deliver a malware, and that malware gets installed on a computer,” Benjamin said.
This malware is particularly dangerous because it can distribute modules that allow it to offer different capabilities and functionality once the initial malware is running on the device. “So the actor can add to the malware,” Benjamin said.
CenturyLink found a previously undocumented module that is only deployed on MIPS devices and turns the infected device into a SOCKS proxy, a service that can be used maliciously to circumnavigate internet filtering or obscure the source of internet traffic.
Benjamin says the initial botnet actor then sold this proxy botnet as a service to other attackers who then used it for credential brute forcing, video advertisement fraud, and general traffic obfuscation.
“All of these folks want to make a profit,” he said. “The first group wanted to stand up the ability to have proxies and then sell those proxy products. There is also value in being able to game the advertising industry and money off of advertising fraud. And there is value in user names and passwords themselves, or what you can glean after you have them, or selling them in bulk.”
CenturyLink blocked TheMoon infrastructure on its network to mitigate the risk to customers, and it also notified other network owners of potentially infected devices.
More Sophisticated Attacks
This new botnet, along with other recent exploits, further shows the importance of securing IoT devices. “The world needs to be diligent about not leaving default passwords, patching devices, and making sure they only buy devices that are patchable,” Benjamin said.
It also points to the growing sophistication of attackers, which is something Kevin McNamee, director of Nokia’s Threat Intelligence Lab, noted in an earlier interview.
“We’re going to see these IoT botnets get larger and start to do more significant damage,” McNamee said. “They are branching out and becoming more sophisticated, and the techniques they are using to spread malware are becoming more sophisticated.”