Proofpoint Research: Internet of Things (IoT) Cyber Attack Security
In January 2014, Proofpoint researchers discovered proof of a much-theorized but never before seen Internet of Things (IoT) cyber-attack. Proofpoint has observed what we believe to be an industry first of devices, including some home appliances (TVs, a refrigerator), sending malicious email spam.
As our researchers were analyzing email-borne threats, they observed a recent cyber attack campaign where more than 25 percent of the malicious email (over 750,000 messages) came from things that were not conventional laptop or desktop computers, but rather members of the Internet of Things; a “Thingbot”-net*.Specifically, researchers observed a series of cyber attack campaigns:
- From Dec 23rd through Jan 6th
- Three campaigns per day, approximately 100k emails per campaign
- Over 450k unique IP addresses; over 100k were from IoT devices
A more detailed examination suggested that while the majority of mail was initiated by “expected” IoT devices such as compromised home-networking devices (routers, NAS), there was a significant percentage of attack mail coming from other non-traditional sources, such as connected multi-media centers, televisions and at least one refrigerator.Additionally, observing the devices:
- A vast number of the devices are running embedded linux servers (usually busybox)
- Some use mini-httpd, some apache
- Some are ARM devices, some are MIPS (or something very similar) others are based on an embedded Realtek chipset (for example, media players)
- Some are believed to be game consoles
- Some are NAS devices (one specific brand has open telnet, open ssh and an SMTP server - all unsecurable)
- Some set-top boxes were also seen as exploited
This proof of a systematic compromise of IoT devices and its subsequent use of those Thingbots to further attack other networks is something we’ve never seen before. This suggests an unfortunate future for both home users and enterprises, the latter of whom now faces an even larger volume of malicious attack capacity.
Worse, these compromised home appliances provide a mechanism where users can unknowingly expose their work environment to such cyber attacks. All a user has to do is use a remote RDP connection, or conceivably simply take an action like checking their fridge from their work PC. If a classic drive-by or even a redirect has been installed, the work PC is now compromised (though this is arguably more farfetched). Clearly, as the trend towards smart devices and BYOD increases, the risk of enterprise exposure increases correspondingly, exponentially.
This serves as further reiteration that the traditional enterprise security approach to blocking entry of attacks solely at the email gateway won't work. The focus should rather be on protecting the users at point of click and providing insight into user actions and attacker targeting.
Proofpoint Targeted Attack Protection™ represents the industry's first comprehensive solution for combatting targeted threats using a full lifecycle approach, monitoring suspicious messages as they come in, and observing user clicks as they attempt to reach out. By using Big Data analysis techniques and a Cloud Architecture, Proofpoint can identify suspicious messages, even if that message is only a single communication from a single known IP address. Other key aspects of the solution include Next Generation Detection via dynamic malware analysis (sandboxing and more), Predictive Defense to test for threats even before users click, “Follow Me” protection for on- and off-network security, and End to End Insight via a real-time web dashboard showing users, clicks, and more.
Learn more about these threats and our research methodology.