During the month of October, and there’s been a disturbance in the force… the growing presence of a new Internet of Things (IoT) botnet, dubbed ‘Reaper’. Initial research published by Checkpoint and Qihoo indicates that the IoT Reaper botnet may have already infected more than 2 Million devices, making it one of the most dangerous botnets in the world.
From a NetWitness Packets detection standpoint, FirstWatch has observed Reaper activity since the middle of October. These attacks are commonly carried over TCP from ephemeral ports to a common set of destination ports as depicted below.
The following Reaper exploit attempts were observed attacking RSA FirstWatch sinkhole infrastructure on October 20th from a likely compromised (i.e., Reaper infected bot) Iranian based source IP address, 84.241.31[.]227.
Checking to see if the previous exploit worked (thanks @VK_Intel):
Unknown Credential Stealing Exploit:
Linus System Files Information Disclosure:
Notable meta tagging for this activity within Netwitness Packets can be seen below.
RSA FirstWatch has further quantified IoT Reaper attacks in the wild from several thousand source IP addresses, which have been added to the FirstWatch C2 IP feed available in RSA Live and tagged with the following meta data:
- threat.category = ‘botnet’
- threat.desc = ‘reaper’