What’s New

A new botnet discovered using IoT drawing pads for reflection attacks

Justin Fier, Director of Cyber Analysis | Monday October 30, 2017

Earlier this year, Darktrace detected a new botnet engaged in a large-scale reflection and amplification attack targeting organizations around the world, including several governmental bodies. This attack is more pertinent than ever in light of potentially new, bigger, and more sophisticated IoT hacks, in the likes of the recently reported ‘Reaper Botnet’, we can increasingly expect to see in 2018.

This new type of botnet we detected earlier this year wasn’t using desktop computers to power its attacks – like Srizbi did when it was sending out 60 billion spam emails per day – and its methodology was distinct from Mirai – which uses DRVs and routers to generate DNS DDoS attacks with speeds of up to 1Tbps.

Instead, this new botnet was commandeering an unlikely assortment of devices made up of, among other things, IoT drawing pads. It contained far fewer devices than typical botnets, but through reflection and amplification techniques using SNMP, it was attempting to launch a powerful denial-of-service attack.

The threat began in a familiar fashion. An architectural firm introduced smart drawing into their network pads without alerting the IT team, and their internal security controls had no way of identifying the vulnerable devices. As such, the devices’ user credentials were never changed from the factory defaults.

Those credentials, along with their public string for SNMP authentication, were publicly available on Shodan, which also revealed that the devices had open ports for HTTP, HTTPS, Telnet, and SIP.

Darktrace detected the vulnerability when hundreds of external IP addresses from around the world made several thousand of SNMP connections to the devices over UDP port 161. Over 99 percent of these connections contained at least one “GetBulkRequest”, an SNMP operation used for the retrieval of large amounts of data.

In response to these requests, the devices issued an exponentially larger number of replies via “GetResponse”, some of which contained as many as 397,000 “GetResponse” objects. In 64 cases, the devices uploaded over 1MB of data.

A sample of this SNMP activity as observed by Darktrace’s AI algorithms:

Figure 1: Anomalous SNMP connections – the request and response are presented as two separate SNMP connections, but we can treat them as the same connection.

Normal network activity for these devices involved very occasional use of “GetBulkRequests” and “GetResponses.” Therefore, these spikes in activity were deemed highly anomalous by Darktrace’s AI algorithms, which had built a deep understanding of normal activity for the devices. By detecting the threat in real time, the security team discovered the threat while it was still in its early stages, and Darktrace’s network visibility provided detailed analytics on the incident.

Figure 2: The number of inbound connections on port 161 to one of the devices on port 161 is shown in orange. External data transfer from port 161 are shown in green. Time, top left, is x-axis value at right-hand origin.

The use of SNMP version 2c and “GetBulkRequests” were telltale signs of a reflection and amplification attack, which use scant resources to generate large attacks. All told, 273.2MiB left the devices on port 161.

The external data transfers on port 80 indicated that the attack went even further, as numerous external devices were attempting to access the devices’ HTTP resources, many of which were administrative PHP files.

A sample of resources that external devices attempted to access via HTTP:


Figure 3: The total outbound data from port 161 over the reporting period

Finally, Shodan also revealed that the devices were running an accessible SIP server on port 5060. Packet analysis showed that external devices “dialed” the devices and attempted to place a VoIP – strange behavior on the attacker’s part that remains unexplained.

Figure 4: VoIP call attempts via open SIP protocol

The target IP addresses were likely spoofed. By sending hundreds of “GetBulkRequests” from the spoofed IPs of the target networks, the IoT drawing pads were forced to send back more than 100 times the number of “GetResponses.” This is testament to the power of reflection and amplification attacks. It’s unclear what other devices were used in this attack, but even a small number of IoT devices at the architectural firm were able to generate an alarming amount of traffic.

The target IPs belonged to websites owned by entertainment and design companies, and even governmental bodies. By reporting on the anomalous SNMP requests as soon as they began, the firm’s security team was able to take the drawing pads offline before damage was done.

Had the attack succeeded in sabotaging the target networks, the firm could have been subject to legal action. The company revamped their security policies and made strides to secure all the IoT devices on their network to minimize risk of future incidents.

To learn more about how Darktrace can uniquely identify and neutralize in-progress, subtle IoT threats, don’t miss Justin Fier appear on VICELAND’s Cyberwar show tomorrow, October 31st, at 7 PM PST/10 PM EST.

Justin Fier

Justin is one of the US’s leading cyber intelligence experts, and holds the position of VP, Tactical Risk and Response at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.