Kaspersky Lab: IoT attacks in Q2 2018

Kaspersky Lab has released IoT attack data for the second quarter of 2018.

Brute-forcing Telnet passwords is the most common method of IoT malware self-propagating. However, there has been a recent increase in attacks targeting other services, such as port 8291 and port 7547, to target IoT devices.

This shows that the nature of IoT attacks has become more complex, especially when it comes to vulnerabilities.

Telnet Attack

The attacker finds the victim device, checks if its Telnet port is open, and starts a password brute force cracking routine. Since many IoT device manufacturers neglect security, this attack becomes easier to succeed and can affect entire device lines. The infected device starts scanning new networks and infects new similar devices or workstations within them.

Top 10 countries where IoT devices are most vulnerable to Telnet attacks

In the second quarter, Brazil (23.38%) led in the number of infected IoT devices and therefore also in the number of Telnet attacks, followed by China (17.22%), which rose slightly, and third was Japan (8.64%).

The most common malware in these attacks was Backdoor.Linux.Mirai.c (15.97%).

SSH Attacks

The launch of such attacks is similar to Telnet attacks, the only difference being that they require a robot to have an SSH client installed on it to brute-force the credentials. The SSH protocol is password protected, so brute-forcing the password requires a lot of computing resources. Therefore, self-propagation from IoT devices is inefficient. The success of SSH attacks depends on the fault of the device owner or manufacturer. In other words, these are again the result of weak or preset passwords assigned by the manufacturer to the entire device family. China is the country most likely to be infected via SSH attacks.