Intelligent CIO Middle East Issue 32 | Page 104

“ FINAL WORD THE SPEED AT WHICH VULNERABLE DEVICES ARE INFECTED SHOWS HOW IMPORTANT IT IS TO PROTECT YOURSELF FROM THESE ATTACKS. Johannes Ullrich, Dean of Research at SANS Institute and founder of the Internet Storm Center whatsoever for any collateral damage caused to the user or the device. Affected firewalls often become unresponsive and in some cases may overheat and break permanently. In fact, in multiple experiments run by the SANS ISC, it only took a few minutes for a vulnerable device to be attacked and taken over once it was connected to the Internet. These attacks affect any Internet connected device. The graph shows the rise of scans for port 80, 8000 and 8080 from Saudi Arabia and some of its neighbours over a period of 12 days Attacks against devices like this often go unnoticed but can have severe consequences. Cybercriminals can use the access they have gained to these devices to then intercept traffic passing through it. More recently, a botnet known as VPNFilter was discovered with a more sinister mission. Unlike most similar botnets, VPNFilter cannot be simply removed from the device with a reboot. Instead, the bot alters the device’s firmware and will try to re-infect the device after a reboot. VPNFilter includes various modules that can be used to sniff traffic passing through the device, or that can use the device as a platform to launch attacks against other networks. VPNFilter is believed to have been targeting energy companies in the Ukraine. Most malware infecting devices, however, have a much more benign goal – mining cryptocurrencies. Cryptocurrencies are currently by far the most common method that criminals use to monetise attacks from 104 INTELLIGENTCIO the devices they are taking over. No device is too small. Monero, for example, one of the primary cryptocurrencies being targeted by criminals these days, can be mined very efficiently on smaller devices and PCs. The speed at which vulnerable devices are infected shows how important it is to protect yourself from these attacks. As even home users are affected, it is important to implement some simple and effective guidelines. First of all, always change the password that comes with your device. Default passwords are the most common attack vector. Unfortunately, in some cases it may not be possible to change the password. This is particularly true for passwords that are installed by manufacturers as a backup or support account. The user often doesn’t know about these accounts or is unable to change the passwords. A typical attack will first scan the device for common vulnerabilities or well-known default passwords. If the attack is able to access the device, then it will often remove competing malicious code and install its own ‘miner’ software. The software will then try to use as much of the device’s CPU as possible in order to mine cryptocoins. The attacker will usually have no regard For this reason, all remote access methods should be disabled or severely restricted. Manufacturers will also often release updates if a new vulnerability becomes known. It can be tricky to apply these updates to some devices, but it is important that you do so, since at SANS, we have seen in the D-Link case how a new vulnerability is being exploited within a couple of days. n The Satori botnet distribution by country