Kaspersky Lab says new IoT-malware grew three-fold in H1 2018, manufacturers don’t prioritize security

Image from Pixabay

According to the Kaspersky Lab IoT report, in the first half of 2018, IoT devices were attacked with more than 120,000 modifications of malware. That’s more than triple the amount of IoT malware seen in the whole of 2017. Kaspersky Lab warns that the snowballing growth of malware families for smart devices is a continuation of a dangerous trend: 2017 also saw the number of smart device malware modifications rise to 10 times the amount seen in 2016.

The market for IoT devices (also known as “smart” gadgets), and their role in everyday life, is growing exponentially. But cybercriminals are seeing the financial opportunities too, and are multiplying and differentiating their attacks as a result. The danger for consumers who love their IoT gadgets is that threats can strike unexpectedly, turning seemingly harmless devices into powerful machines for illegal activity. This can include malicious cryptocurrency mining, DDoS attacks, or the discreet inclusion of devices in botnet activities.

Aware of these dangers, Kaspersky Lab experts regularly review the data collected from various sources including our honeypots – decoy devices used to attract the attention of cybercriminals and analyze their activities. The latest updates are striking: during the first half of 2018, the number of malware modifications aimed at IoT devices registered by researchers was more than three times higher than the number registered in the whole of 2017.


The statistics show that the most popular method of IoT malware propagation is still the brute forcing of passwords — repetitive attempts at various password combinations. Brute forcing was used in 93 percent of detected attacks. In most of the remaining cases, access to an IoT device was gained using well-known exploits.

The devices most often attacking Kaspersky Lab honeypots were routers (by a large margin). Sixty percent of the registered attempts to attack virtual devices were coming from them. The remaining share of compromised IoT gadgets included a variety of different technologies, such as DVR-devices and printers. The honeypots even registered an attack coming from 33 washing machines.

“Compared to personal computers and smartphones, IoT devices might not seem powerful enough to attract cybercriminals and be used in their illegal activity,” Mikhail Kuzin, security researcher at Kaspersky Lab. “However, their lack of performance is more than outweighed by their number, and the fact that some smart gadget manufacturers are still not paying enough attention to the security of their products. Even if vendors begin to provide their devices with better security now, it will be a while before old vulnerable devices have been phased out of our homes. In addition, IoT malware families are customizing and developing very fast, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones. IoT products have therefore become an easy target for cybercriminals who can turn simple machines into a powerful device for illegal activity, such as spying, stealing and blackmailing.”

VPNFilter Trojan

The report also noted that VPNFilter Trojan intercepts infected device traffice and steal basic but important user data including usernames and passwords, which are sent to the cybercriminals’ server. There are about 500,000 infected devices.

Kaspersky Lab researchers listed down the main features of VPN Filter.

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018, a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.
  • “The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes,” according to the researchers.

Here is a list of manufacturers who gadgets are the most vulnerable to attacks, as of June 2018’s study of Kaspersky Lab: Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE.

“The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks but often as home routers,” the researchers added.