• White Facebook Icon
  • White Twitter Icon
  • White Instagram Icon

Understanding the Hackers : Threat Intelligence

 

As a part of security research, I consistently monitor threat actors to leverage threat intelligence. In the process, I ended up finding backdoors within the IoT source code and bugs or mistakes made by IoT hackers which allowed us to get control of their servers. To understand the motives behind the IoT attacks, I also interviewed prominent IoT hackers and compiled a list of impactful IoT threat actors.

 

Backdoors within IoT source -  Nobody is off-limits when it comes to be a victim of an IoT botnet, even fellow blackhats.  IoT botnet authors sometimes add a backdoor in their own code to hack other blackhats, either to get more devices in their control or to satisfy a grudge they have against their Blackhat competitors. In my investigations, I found two different cases of IoT botnet code being backdoored:

 

  1. ZTE backdoor having an additional backdoor by threat actor Scarface

 

A weaponized IoT exploit script is being used by script kiddies, making use of a vendor backdoor account to hack the ZTE routers. Ironically, this is not the only backdoor in the script. Scarface, the propagator of this code has also deployed his custom backdoor to hack any script kiddie who will be using the script.

https://securityaffairs.co/wordpress/77951/malware/iot-botnet-backdoored.html

   2. Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies

I discovered that a script containing CVE-2017-8225 also contained a hidden backdoor which took control of the script kiddie executing it and executed Kaiten IoT botnet as well to “hack the hacker”.

https://thehackernews.com/2017/11/iot-vulnerability-scanner.html

Capturing botnet operator opsec fails -  Threat actors, like any other humans are susceptible to mistakes which sometimes give an edge to whitehats. I keep monitoring IoT botnet operators to look for such mistakes and make use of them if possible.  Two such examples of such are:

 

   3. Hackers used the username root, password root for botnet control database login

 

NewSky Security took control over the MySQL server used to control the Owari botnet – thanks to its creator leaving port 3306 open and the username and password as root.

 

https://www.theregister.co.uk/2018/06/06/pwn_goal_botnet/

  4.  Juvenile Hacker Uses Same Skype ID for Botnet Activity and Job Hunting

 

NewSky Security tracked down the owner of Daddyl33t botnet, a minor, who was using the same identity to both run a botnet and apply for jobs. As his nickname suggests, though, DaddyL33T does not appear to be a grown man. Instead, researchers believe he is merely 13 years old, a fact which was confirmed through a private conversation between DaddyL33T and Newsky Security researcher Ankit Anubhav.  

 

https://themerkle.com/juvenile-hacker-uses-same-skype-id-for-botnet-activity-and-applying-for-freelance-jobs/

 

Getting closer with IoT blackhats for threat intelligence – To win a war, it is necessary to know your enemy up close. Hence, I consistently monitor different hacking forums to monitor IoT threat actors up close, to know each move, and to act accordingly to safeguard its customers. Following is some research material related to IoT hackers.

 

  5. Tracking the People Behind Botnets: A List of Top 20 IoT Blackhat Hackers – In a “first of its kind” initiative, I  compiled a list of Top 20 IoT blackhats based on the threat intelligence gathered.

https://blog.newskysecurity.com/tracking-the-people-behind-botnets-a-list-of-top-20-iot-blackhat-hackers-3a67d7bd3be0

 

  6. Understanding the IoT Hacker — A Conversation with Owari/Sora IoT Botnet Author

 

I have been following an IoT threat actor, known better with his pseudo name “Wicked” in IoT malware circles via forum monitoring and honeypot analysis. “Wicked” has been involved in two IoT botnets, with one of them still evolving to be more effective. After collecting enough information about the credibility of the attacker, I decided to contact him and get an insight into botnets from the attacker’s end.

 

https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863

  7. Audio interview with author of Kepler IoT botnet on IoT security podcast

 

An IoT botnet with the name Kepler stormed in the scene, using 27 different IoT exploits in its arsenal. NewSky Security tracked the attackers behind them, verified their authenticity, and then took an audio interview with them to know more about the botnet’s future and other insights about the attack.

https://www.zdnet.com/article/iot-botnet-targeting-your-enterprise-nope-just-a-kid-with-an-exploitdb-account/ 

 8. IoT Thermostat Bug Allows Hackers to Turn Up the Heat

 

IoT attacks are not limited to DDoS, but also can have life threatening consequences. In this case, I  observed in a hacking forum how a Blackhat is playing with a Thermostat bug to change temperature of houses of its victim remotely. While the bug was a known one, this was first of a kind case where a PoC of a thermostat bug was used to change the temperature of the victim’s house by a hacker.

 

https://blog.newskysecurity.com/iot-thermostat-bug-allows-hackers-to-turn-up-the-heat-948e554e5e8b

 9. Audio interview with HITO botnet author on the IOT security podcast

I managed to get hold of the author of the HITO botnet, LIGHT, who shared the botnet source code privately with me. The hacker shed light on cross compilation , honeypot evasion and future of the botnet in the interview.

 

https://soundcloud.com/ankit_iot/hito-botnet-with-light-leafon

 10. Hacker takes over 29 IoT botnets

For the past few weeks, a threat actor who goes online by the name of "Subby" has taken over the IoT DDoS botnets of 29 other hackers, ZDNet has learned."It's obvious as to why this is happening," Subby said in an interview conducted by Ankit Anubhav, a security researcher at NewSky Security and shared with ZDNet.

 

https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/