Cybercriminals increase the intensity of IoT and SMB attacks in the first half of 2019, according to the new F-Secure report "Attack Landscape H1 2019". The report highlights the threats facing IoT devices when not securely protected, as well as the popularity of EternalBlue and related cyberattacks, two years after the well-known WannaCry case.
F-Secure's honeypots, which are poised to attract attackers to gather intelligence, measured a twelve-month increase in such incidents compared to the same period a year ago. The increase came from traffic using Telnet and UPnP protocols used by IoT devices as well as the SMB protocol used by the Eternal malware family to spread ransomware and banking trojans.
Telnet traffic accounted for the largest share of traffic for the period, with more than 760 million recorded attack events. UPnP was the next most frequent, with 611 million attacks. SSH, which is also used to target IoT devices, had 456 million attacks. Possible sources of this traffic are malware-infected IoT devices, such as Mirai, which was also the most common malware family that honeypots detected. Mirai infects routers, security cameras and other IoT devices that use factory default credentials.
The traffic to SMB Port 445 recorded 556 million attacks. The high level of SMB traffic is an indication that the family of Eternal malware, the first of which used the destructive 2017 WannaCry ransomware, is still active, trying to infect millions of computers.
"Three years after the first appearance of Mirai and two years after WannaCry, it seems we have not yet resolved the problems we have encountered in these cases," said F-Secure lead researcher Jarno Niemela. "The IoT uncertainty is getting deeper. The increasing use of IoT devices is maximizing the risk for botnets, and the traffic by SMB shows that there are still many machines out there that remain unpatched."
“A large part of the problem is still a lack of security awareness”, comments Josmaarten Swinkels, Inter Engineering CEO, “even amongst those who have already fallen victim of ransomware we’ve seen. Regarding IoT devices, we believe many apply the “If it works, don’t fix it” approach. Those devices don’t look like computers and many people are reluctant to patch them in the fear things won’t work afterwards.”
Other findings of the "Attack Landscape H1 2019" report include:
- The countries whose IP spaces hosted the largest number of attack resources were China, the US, Russia and Germany.
- The most targeted countries were the United States, Austria, Ukraine, the United Kingdom, the Netherlands and Italy.
- The most common method of ransomware during this period was via remote RDP protocol (31% of cases).
- The largest share of Telnet traffic came from the US, Germany, the United Kingdom and the Netherlands.
- The largest share of SMB traffic came from China.