A new, stealthy Internet of Things (IoT) botnet has emerged with the capability of stealing information from a wide range of devices, underscoring the need for the Federal government to provide guidance on how agencies can reduce risks associated with the deployment of their IoT networks.
The botnet, known as Torii, “comes with a rich set of features for exfiltration of sensitive information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication,” according to security researchers at Avast, a developer of antivirus and internet security software.
Torii, which was discovered on Sept. 19, is stealthier and more persistent once a device is compromised than other IoT botnets such as Mirai, the researchers said. In October 2016, a Mirai botnet took down major websites via a massive distributed denial-of-service (DDOS) attack using hundreds of thousands of compromised IoT devices. Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet army in large-scale network attacks.
The Torii botnet doesn’t follow the pattern of a normal botnet. It doesn’t launch a DDOS attack, and doesn’t mine cryptocurrencies. However, it has advanced techniques that allow malicious attackers to compromise or steal information from connected devices.
“Torii does have the built-in ability to receive requests from a C2 [Command and Control Server] master,” said Justin Jett, director of audit and compliance for Plixer, which provides a network and security intelligence platform that supports incident response.
“Something else is controlling this botnet. So whatever new commands are set in the future, they ultimately allow this particular botnet to change at the command of its master,” Jett told MeriTalk.
From an architectural perspective, Torii can detect the type of compromised device it is running on. Then the botnet can intelligently download a payload specific for the device. “There is a breadth in the foothold it has,” Jett said. The botnet can provide a payload for any operating system or device, which allows for it to spread further in terms of which IoT devices it can infect. “That is clever but makes it more dangerous,” Jett said.
Lawmakers and the Trump administration alike have expressed strong concerns about a lack of device security among a wide range of IoT use cases. As a result, The National Institute of Standards and Technology (NIST) recently released new draft guidance that aims to address both the cybersecurity and privacy risks stemming from IoT devices.
NIST recently authored a publication on IoT trust concerns, which sought to address factors that would lead to IoT devices not performing in their intended manner. The latest publication, “Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” focuses primarily on how organizations can understand the risk to their IT environment, including “accepting, avoiding, mitigating, sharing, or transferring risk.”
It is good to see government responding to IoT cybersecurity issues and requirements, Jett noted. The government can mandate that agencies implement certain security controls. For example the Office of Management and Budget several years ago mandated that all agency domain naming servers adopt DNS Security Extensions (DNSSEC). DNSSEC provides an extra security layer that increases the security of the internet by addressing DNS security weaknesses and helping to alleviate the threat of DNS cache poisoning.
To strengthen IoT security, “it is imperative that organizations treat IoT devices as untrusted devices,” Jett said. IoT devices have a very narrow set of functions and only need very limited communication with the network. So, IoT devices must be constantly monitored to detect abnormal communications.
For instance, Torii spreads via Telnet, which is easily detectable from a network standpoint. IT professionals should be quick to investigate communications to devices they do not normally see on their network, Jett said. Network traffic analytics are well suited to address these types of attacks, but network and security professionals need to work together to mitigate the threats after they have been identified.
Additionally, organizations should audit the IoT devices on their networks to ensure that default passwords have been changed and deployed with as few privileges as required. This should reduce the foothold that botnets like Torii can take to access devices and provides IT professionals insight when the devices are compromised, Jett explained.