After quietly infecting a million devices, Reaper botnet set to be worse than Mirai

Reaper is on track to become one of the largest botnets recorded in recent years — and yet nobody seems to know what it will do or when. But researchers say the damage could be bigger than last year’s cyberattack.

(Image: file photo)

A little over a month ago, a sizable botnet of infected Internet of Things devices began appearing on the radar of security researchers.

Now, just weeks later, it’s on track to become one of the largest botnets recorded in recent years.

The botnet, dubbed “Reaper” by researchers at Netlab 360, is said to have ensnared almost two million internet-connected webcams, security cameras, and digital video recorders (DVRs) in the past month, says Check Point, which also published research, putting its growth at a far faster pace than Mirai.

It was Mirai that caused a massive distributed denial-of-service (DDoS) attack last October, knocking popular websites off the internet for millions of users. The collective bandwidth from the huge number of “zombie devices” that were infected and enslaved was directed at Dyn, an internet infrastructure company, which overloaded the company’s systems and prevented millions from accessing popular websites.

Mirai was “beautifully simple,” said Ken Munro, a consultant at UK-based security firm Pen Test Partners. The malware would scan the internet and infect connected devices with default usernames and passwords, which either weren’t or couldn’t be changed by the owner.

 Reaper, however, “is what Mirai could easily have been,” said Munro. It takes a slightly different, more advanced approach by quietly targeting and exploiting known vulnerabilities in devices and injecting its malicious code, effectively hijacking the device for whenever the botnet controller is ready to issue their commands. Each time a device is infected, the device spreads the malware to other vulnerable devices — like a worm.

Mirai aggressively ran each device against a list of known usernames and passwords, but Reaper is “not very aggressive,” said Netlab.

By targeting a known vulnerability, the botnet can swiftly take control of a device without raising any alarms.

“One of the reasons Mirai didn’t achieve its full potential is that the compromise didn’t persist beyond a reboot,” said Munro. “Hence, multiple botnet herders were competing for control of the compromised DVRs that comprised it, so the huge botnet it could have been was never built,” he said.

Netlab said at the time of publishing their research that the botnet was infecting nine known vulnerabilities in D-Link, Netgear, and AVTech products, as well as other device makers.

Not only has the botnet gained in size in the past month — it’s growing in capability. New exploits have been added to the botnet’s arsenal regularly in recent days, said Netlab. Check Point said 33 devices are vulnerable to attack so far. Researchers have also noted that several known, easy-to-exploit vulnerabilities have not been added to the botnet, raising questions about why some exploits have been added and not others.

But what’s thrown researchers is that nobody can figure out what the botnet is for.

While the Mirai botnet was a point-and-shoot botnet that could be used to hose systems with vast amounts of bandwidth, Reaper can be used to run complex attack scripts on infected devices. Reaper’s command and control infrastructure is also growing in size, accommodating more infected devices by the day. Netlab said 10,000 bots were under the wing of just one command and control server.

So far, there haven’t been any signs of DDoS attacks yet. The botnet creator (“it appears that one group or individual has control of most of it,” said Munro), is focusing on building the botnet’s size. As it stands, Reaper’s size today could be capable of “creating significantly more DDoS traffic than Mirai,” said Munro.

It’s not the first time botnets of a massive scale have crept up on security researchers.

Earlier this year, a 300,000-strong botnet appeared almost out of nowhere, but researchers couldn’t figure out what it did — if anything.

A breakdown of the Reaper botnet shows that the malware that infects devices allows the botnet owner to remotely execute code on each device, said Alan Woodward, a professor at the University of Surrey. But because each device has such little individual computational power, the code running on each device would have to be harnessed collectively for a larger, coordinated computing task, he said.

That could be anything from a DDoS on an internet target, to a much larger kind of attack.

“The aggregation of large numbers of the same Internet of Things (IoT) device leads to systemic issues,” said Munro. “When it’s one device affecting one home, it’s irritating for the consumer, but when it’s a million devices, deeper problems arise.”

“For example, any IoT device that switches a lot of electrical power gives rise to potential to affect the electricity grid,” he said.

“Whether it’s a smart kettle, a smart thermostat switching your air conditioning or solar panels — all switch power,” he said. “Trigger a million devices that switch 3kW concurrently and the power grid fails.”

What happens next is anybody’s guess.

“Everyone is expecting it to pounce, but so far nothing,” said Woodward. There isn’t much that consumers or device owners can do, except patch any affected devices they may own and carry out a factory reset.

Given that device owners are at the mercy of the manufacturers to release patches — many of which haven’t learned much from the Mirai attack and still don’t take security seriously — many may find that simply pulling the plug on each and every affected device might be the only way to dismantle the botnet.

With enough amassed firepower to be larger and stronger than Mirai, the question isn’t necessarily what the botnet will do.

“The question is whether it gets used in anger,” said Munro.

World reels from massive cyberattack that hit nearly 100 countries

by Jethro Mullen, Samuel Burke and Selena Larson @CNNMoney

Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever.
Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom.
Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history.
Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault.
Security experts said the spread of the ransomware had been stopped late Friday. But it remained unclear how many organizations had already lost control of their data to the malicious software — and researchers warned that copycat attacks could follow.
Europol said Saturday that the attack was of an “unprecedented level and requires international investigation.” And the U.K. government called an emergency meeting over the crisis.
U.S. Treasury Secretary Steven Mnuchin, at a meeting of world leaders in Italy, said the attack was a reminder of the importance of cybersecurity. “It’s a big priority of mine that we protect the financial infrastructure,” he said.
The ransomware, called WannaCry, locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The exploit was leaked last month as part of a trove of NSA spy tools.
The ransomware is spread by taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March. But computers and networks that hadn’t updated their systems were still at risk.
In the wake of the attack, Microsoft said it had taken the “highly unusual step” of releasing a patch for computers running older operating systems including Windows XP, Windows 8 and Windows Server 2003.
But the patches won’t do any good for machines that have already been hit.
“Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”
Related: 5 things to know about the attack
Experts told CNNTech that an unidentified cyber security researcher accidentally stopped the spread of WannaCry by registering a domain name contained in the ransomware’s code.
The researcher, who uses the Twitter handle @malwaretechblog, told CNNTech they registered the domain name in order to study the virus, but it turned out the ransomware needed it to remain unregistered to keep spreading.
However, a hacker could change the code to remove the domain name and try the ransomware attack again.
And WannaCry has already caused massive disruption around the globe.
Sixteen National Health Service organizations in the UK were hit, and some of those hospitals canceled outpatient appointments and told people to avoid emergency departments if possible. The NHS said in a statement on Saturday that there was no evidence that patient information had been compromised.
In China, the internet security company Qihoo360 issued a “red alert” saying that a large number of colleges and students in the country had been affected by the ransomware, which is also referred to as WannaCrypt. State media reported that digital payment systems at PetroChina gas stations were offline, forcing customers to pay cash.
Related: NSA’s powerful Windows hacking tools leaked online
“Global internet security has reached a moment of emergency,” Qihoo360 warned.
Major global companies said they also came under attack.
Fedex said Friday it was “experiencing interference with some of our Windows-based systems caused by malware” and was trying to fix the problems as quickly as possible. Two big telecom companies, Telefónica (TEF) of Spain and Megafon of Russia, were also hit.
“This is turning into the biggest cybersecurity incident I’ve ever seen,” U.K.-based security architect Kevin Beaumont said.
How a ransomware attack can affect emergency services


Russia’s Interior Ministry released a statement Friday acknowledging a ransomware attack on its computers, adding that less than 1% of computers were affected, and that the virus was now “localized” and being destroyed.
The U.S. Department of Homeland Security, in a statement late Friday, encouraged people to update their operating systems. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally,” the department said.
Related: How leaked NSA spy tools created a hacking free-for-all
According to Matthew Hickey, founder of the security firm Hacker House, the attack is not surprising, and it shows many organizations do not apply updates in a timely fashion.
When CNNTech first reported the Microsoft vulnerabilities leaked in April, Hickey said they were the “most damaging” he’d seen in several years, and warned that businesses would be most at risk.
Consumers who have up-to-date software are protected from this ransomware. Here’s how to turn automatic updates on.
It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.
— Donna Borak, Samuel Burke, Mariano Castillo, Jessica King, Yuli Yang, Steven Jiang, Clare Sebastian and Livvy Doherty contributed to this report.
CNNMoney (Hong Kong)
First published May 13, 2017: 9:57 AM ET

Positive SSL