JPCERT-AT-2016-0050 JPCERT/CC 2016-12-21 <<< JPCERT/CC Alert 2016-12-21 >>> Alert on managing devices connected to the Internet - Various devices connected to the Internet are under threat - https://www.jpcert.or.jp/english/at/2016/at160050.html I. Overview JPCERT/CC has been observing surveillance cameras, storage devices, embedded communications devices for industry, DVR's (Digital Video Recorders) and other devices infected with malware such as "Mirai" which targets these types of devices, and packets that continue to search for these devices. In particular, security experts have pointed out that these malware-infected devices are combining to form "IoT Botnets," which are being exploited by attackers to perform large scale DDoS attacks. US-CERT in the United States has also published information on this issue as a warning. Devices with vulnerabilities or lack of proper configuration have been exploited by malware, and attacks which leverages these devices are observed significantly in Japan. It is fairly simple to find devices connected to the Internet that do not have countermeasures in place, and JPCERT/CC has observed multiple vulnerabilities being exploited for use by various types of malware for these infections. For details on the attacks that JPCERT/CC has been observing, please refer to "II. Attack Observations". Based on the current status of the attacks being observed, it can be assumed that not only will attacks increase but the vulnerabilities used for exploitation will change. For those that use Internet-reachable devices not just at the offices but also at home, it is necessary to double check its configuration to make sure that the device will not be exploited for use in conducting other attacks or secondary effects such as information being stolen. For Internet-reachable devices, it is recommended to review configuration, or update any firmware. Consider the following points when applying any countermeasures. For more details, please refer to "IV. Solution" (1) Check whether the device is accessible from the Internet (2) Configure a strong password, enable authentication functions (3) Perform a firmware update In preparation for attacks that may occur during the extended vacation period, consider shutting off any devices that will not be used for work during the vacation period. II. Attack Observations When a device is infected with malware, it performs scans and attacks against other devices that are accessible from the Internet. For characteristics and the behavior of the malware, please refer to "III. Malware Behavior". Based on TSUBAME, a network packet monitoring system run by JPCERT/CC, a large number of packets to Port23/TCP (telnet) which is considered to be scanning activities, have been observed. In addition, scan packets targeting services that run on other ports have been observed as well. - Figure 1 below shows the change in packets observed in TSUBAME by JPCERT/CC to Port23/TCP and Port2323/TCP, suspected to be scanning for these devices [Figure 1: Change in the number of scan packets to Port23/TCP, Port2323/TCP from April through December, 2016] - Main ports where scan packets have been observed 23/TCP, 2323/TCP, 6789/TCP, 7547/TCP, 37777/TCP, 27312/TCP, 5555/TCP, 53413/UDP Changes in the number of packets to these ports are shown in Figure 2 * In JPCERT/CC observations, ports other than telnet have been targeted * Port7547/TCP has seen a sudden increase in access, so it has been removed from Figure 2 [Figure 2: Change in the number of scan packets observed from November through December, 2016] Analysis of the communications to these ports revealed attack activities such as the creation of backdoors, forwarding another types of malware for execution, etc. III. Malware Behavior JPCERT/CC has analyzed multiple samples and has confirmed that most of the malware contains the following functions: - Communications with a C&C (Command and Control) server - Performs telnet scans for searching and spreading infections - Performs HTTP based DoS attacks - Performs UDP based DoS attacks - Performs TCP based DoS attacks etc. Note that the malware has capability to run on embedded devices such as routers and cameras. IV. Solution If a device is connected to the Internet and configured to use remotely, it is recommended to perform the following countermeasures. Also, for any new devices to be installed, perform the following steps prior to use. The method to change the configuration varies depending on the device. It is recommended to refer to the device manual or consult with the company that placed the device when performing these countermeasures. In addition, check the device logs and make sure that there is no evidence that unauthorized third-parties are using the device. (1) Check whether the device is accessible from the Internet Check whether a device being used at the office or at home can be accessed from the Internet unintentionally. For connections to the Internet, a device may be unintentionally configured with a global IP address. Check that access to the device is restricted by a router or firewall. Caution is necessary since functions such as UPnP (Universal Plug and Play) may be used to access these devices under a NAT environment. If access from the Internet is necessary for business or other purposes, restrict access so that it only allows from specific IP addresses or through a VPN. (2) Configure a strong password, enable authentication function Devices that can be connected to Internet may have the authentication function disabled by default when shipped out of the factory or use a common ID and password combination by default. The ID and password that is configured by default may be found on the Internet for some products, and attackers may use this for unauthorized access into a device. Thus, please enable authentication and configure a strong password. Also, check all of the ID's, and if there are any that are unfamiliar to any of the users, stop using them or delete them. - Example of default configured or simple ID / Password * This is only one example, thus other combinations may exist. Other ID's may include "administrator" or "guest". Other passwords may include short combination of numbers (ex. "1234"), or a string of the same number (ex. "00000000"). | ID | Password | | root | Pass | | root | admin | | root | * Product type number | (3) Perform a firmware update Based on the current observations, JPCERT/CC is assuming that attackers may persistently attack known security issues. Please update firmware that have addressed known security issues including vulnerabilities. In order to prevent unexpected damages, it is recommended to periodically check for updates. (4) How to handle if there is suspicion of a malware infection There are cases where the malware exists on the device's memory, so disconnecting the device from the network, rebooting, configuring a strong password, and then re-connecting to the network will allow you to remove the infection and use the device again. If re-connected to the network without changing the password or updating, the firmware may cause the device to become infected again. In order to prevent unexpected damages, it is important to consider security when using devices. Administrators should know all of the devices that are placed in the organization and do their best to ensure that they are properly configured. Also, in order to increase security awareness within the organization, please consider alerting users or changing organization rules as necessary. V. References US-CERT Alert (TA16-288A) Heightened DDoS Threat Posed by Mirai and Other Botnets https://www.us-cert.gov/ncas/alerts/TA16-288A JVNTA#95530271 Threat of DDoS attacks by botnets created by malware such as Malware (Japanese) https://jvn.jp/ta/JVNTA95530271/ JPCERT/CC JPCERT/CC Internet Threat Monitoring Report [July 1, 2016 - September 30, 2016] https://www.jpcert.or.jp/english/doc/TSUBAMEReport2016Q2_en.pdf JPCERT/CC Preparing for attacks leveraging SHODAN - For Control Systems - (Japanese) https://www.jpcert.or.jp/ics/report0609.html National Police Agency October 20, 2016 - Internet Observation Results (September, 2016) (Japanese) https://www.npa.go.jp/cyberpolice/detect/pdf/20161020.pdf IPA (Internet-technology Promotion Agency) (From Safety Consulting Center) Change password prior to using IoT devices, such as network cameras or home routers (Japanese) https://www.ipa.go.jp/security/anshin/mgdayori20161125.html IIJ Internet Infrastructure Review (IIR) Vol.33 (Japanese) http://www.iij.ad.jp/company/development/report/iir/033.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/