Just in time for Halloween, there’s a new botnet frighteningly similar to last year’s massive Mirai – Reaper. While similar, it’s feared Reaper could prove to be much more powerful.

Mirai took over devices with default or weak authentication credentials and used them to orchestrate DDoS attacks against DNS provider Dyn, which temporarily prevented access to top websites such as Amazon, Twitter and Spotify. Rather than targeting weak passwords, Reaper focuses on exploiting IoT device vulnerabilities and is the reason why researchers at Netlab 360 dubbed it “Reaper” or “IoT_reaper”.

So far, Reaper has been targeting devices such as IP cameras made by GoAhead, D-Link, TP-Link, AVTECH, Netgear, MikroTik, Linksys and Synology.

Security company Check Point Research has also been following Reaper very closely and announced its findings in a blog post late last week. At that time, the company estimated that at least 1 million organizations have been infected worldwide, including the US, Australia “and everywhere in between, and the number is only increasing.”

While some of Reaper’s technical aspects have led Check Point to suspect a possible connection to Mirai, the company believes this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is also not clear at this point what the attacker’s intentions are.

Another security vendor, China-based Qihoo 360, strongly believes the botnet borrows some code from Mirai. Qihoo360 has also stated it suspects that while Reaper is still in its early stages, whoever the bad actor is behind it, they continue to actively modify the code, as well as add more exploits. The company discovered one instance where in just two days an exploit for a network video recorder made by Vacron was integrated into Reaper.

What’s Next for Reaper?

Quihoo360 contends that Reaper continues to spread itself, while Check Point says it has found that numerous devices were both being targeted and later sending out the infection. These attacks were coming from many different types of devices and many different countries and accounts for approximately 60% of the corporate networks which are part of Check Point’s ThreatCloud global network.

Check Point also views this as a calm before the storm - that although compromised devices haven’t been used for a DDoS attack yet, this is likely what’s coming.

Another Reason for Strong Device Identity and Security by Design

Reaper is still in its early stages, but as companies have learned from previous Botnet DDoS attacks, which have shut down the internet, it is extremely important that organizations make proper preparations and that defense mechanisms are put in place before an attacker strikes.

From our past list of suggestions for how device manufacturers can help prevent botnets (which we put together after the Mirai attack last year – history is unfortunately repeating itself in this case), these should include:

• Limiting remote access to the devices.
• If you need remote access, implement strong device authentication. Use strong, unique passwords for each device and ideally, a second authentication factor.
• Use strong authentication for administrative users and services.
• Ensure only authorized software and firmware updates. Include logic to verify any updates that are pushed to the device, which can help prevent untrusted code, like that from Mirai and Repear, from being installed.

These precautions need to be considered and baked in from the start. When this begins to happen on a wider scale, IoT systems will be trustworthy, making the chances of unauthorized access greatly reduced. Public Key Infrastructure (PKI) is the technology that will make this possible.

PKI offers multiple benefits for strong device authentication. Not only is it very difficult, if not technically infeasible to spoof, but using it as part of the authentication process prevents dictionary-based attacks (like those used in Mirai). PKI also offers the ability to use unique identities for the authenticating entities (both device and service). At the time of device build, it is recommended to include unique device authentication credentials per device, rather than using shared or common for a range of devices. Even better is to leverage hardware security elements to protect the private keys on devices and prevent the credentials from being stolen or migrated off of the devices themselves.

You can also leverage PKI to validate which updates are installed on the device. Update logic can be crafted so only code digitally signed by a specific publisher with a specific type of certificate would be executed.

Additional Security Tips

IoT device manufacturers should also be looking at The Open Web Application Security Project (OWASP) for basic guidance on password policy, which could help prevent an attack like Reaper in the future, but we’d suggest looking beyond the password alone when considering strong authentication methods.

What’s Next?

What happens next with Reaper is anybody's guess. Hopefully the impact to devices will not be as extensive as Mirai. But given the security community’s concern, that is unlikely to be the case. The one thing we can hope for – and do something about – is that over time designers and manufacturers will improve IoT device security so that botnets like Reaper won’t have much of a chance to inflict widespread damage.