Identifying infected energy systems in the wild

Marnerides, Angelos K.; Giotsas, Vasileios; Mursch, Troy

doi:10.1145/3307772.3328305

Cited by 10 publications

(9 citation statements)

References 4 publications

(9 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…6, each scanner may scans a maximum of 15 ports with a minimum of 2 in every scanning session. Hence, in contrast with discussions (e.g., [6], [8]) on the full randomness of scanning strategies, we identify that even new Mirai variants have a carefully crafted and strategic scanning procedure.…”

Section: A Scanning Phasecontrasting

confidence: 60%

“…The seminal study in [5] was the first to profile the original 2016 Mirai botnet outbreak and contributed towards the Internet-wide, AS-level analysis as well as the impact of shared source code which led to the proliferation of Mirai variants. Moreover, the work in [3] and [6] assessed the impact of Mirai-like variants on industrial control systems (ICS) and how Mirai-like variants exploit DNS records respectively. Nonetheless, all aforementioned studies didn't capture the modern scanning characteristics of new variants and in parallel did not provide a recent overview of the Mirai-like structural properties (i.e., centralised or P2P) as conducted in this work.…”

Section: Related Workmentioning

confidence: 99%

“…Based on the publicly released Mirai source code, any botnets underpinned by Mirai-like malware would aggressively and randomly scan on TCP ports 23 and 2323 [6]. Both ports are dedicated for the Telnet protocol, enabling remote connection to a given IoT device.…”

Section: A Scanning Phasementioning

confidence: 99%

“…Since the 2016 Mirai outbreak where more than 550K IP-enabled DVRs were instrumented for a series of DDoS attacks and disrupted services almost across half of the global Internet [5], new Mirai-variants have emerged [6]. Efforts to analyse the dynamic properties of new Mirai-like variants are challenging and require a systematic and macroscopic view of the Internet in order to [1]- [3], [6]: (i) adequately inform corresponding governmental or industrial bodies and organisations in charge of infrastructure defense and (ii) equip next generation automated cyber threat intelligence (CTI), IDS and anomaly detection mechanisms with enriched information regarding evolving scanning, establishment and propagation strategies of new botnet variants.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Profiling IoT Botnet Activity in the Wild

Almazarqi

Marnerides

Mursch³

et al. 2021

2021 IEEE Global Communications Conference (GLOBECOM)

Self Cite

View full text Add to dashboard Cite

Undoubtedly, the Internet of Things (IoT) contributes significantly to daily mission-critical processes underpinning a number of socio-technical systems. Conversely, its rapid adoption has extensively broadened the cyber-threat landscape by virtue of low-cost IoT devices that are manufactured and deployed with minimal security. Evidently, vulnerable IoT devices are utilised by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Since the 2016 outbreak of the first IoT Mirai botnet there has been a continuous evolution of Mirai-like variants. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This work provides a new measurement study highlighting specific behavioural properties of Mirai-like botnets in terms of their propagation. We provide a comprehensive analysis conducted on real Cyber Threat Intelligence (CTI) feeds gathered for a period of 7 months from globally distributed attack honeypots and pinpoint the evolutionary port scanning patterns, targeted vulnerabilities and preferred services pursued by Mirai-like botnets. We identify the most frequently active Mirai-like malware binaries and we are the first to report the evolution of a new, P2P-based variant. In parallel, we provide evidence related to the lack of vendor-specific patching through highlighting unpatched vulnerabilities. Moreover, we pinpoint the inadequacy of widely used IP blacklisting databases to timely list malicious IP addresses. Thus, arguing in fair of integrating honeypot information from diverse Internet vantage points within the design of next generation botnet defence mechanisms.

show abstract

Section: A Scanning Phasecontrasting

confidence: 60%

Section: Related Workmentioning

confidence: 99%

Section: A Scanning Phasementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Profiling IoT Botnet Activity in the Wild

Almazarqi

Marnerides

Mursch³

et al. 2021

2021 IEEE Global Communications Conference (GLOBECOM)

Self Cite

View full text Add to dashboard Cite

show abstract

“…The situation of cyberattacks against ICS has been investigated by monitoring devices, botnets, and globally deployed honeypots [2]. Marnerides et al reported that ICS networks were compromised due to non-ICS devices such as routers, servers, and IoT devices that were used as footholds for lateral movement [37].…”

Section: B Attack Observationmentioning

confidence: 99%

Exposed Infrastructures: Discovery, Attacks and Remediation of Insecure ICS Remote Management Devices

Sasaki

Fujita

Gañán

et al. 2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Geographically distributed infrastructures, such as buildings, dams, and solar power plants, are commonly maintained via Internet-connected remote management devices. Previous studies on detecting and securing industrial control systems (ICS) have overlooked these remote management devices, as they do not expose ICS-specific services like Modbus and BACnet and thus do not show up in Internet-wide scans for such services. In this paper, we implement and validate a discovery method for these devices via their Web User Interface (WebUI) and detect 890 devices in Japan alone. We also show that many of these devices are highly insecure. Many allow access to the status or even the control over industrial systems without proper authentication. Taking a closer look at three prevalent remote management devices, we discovered 13 0-day vulnerabilities, several of which were rated as medium or high severity. They have been responsibly disclosed to the manufacturers. By using honeypots that imitate these systems, we show that over time, only a small number of attackers enter these systems, but some do change critical parameters. Attackers appear to interact more with the system when more facility information is displayed on the WebUI. Finally, we notified operators of 317 vulnerable remote management devices by email and telephone. We reached 212 persons in charge of the devices and received confirmation that our method had correctly identified the device. 50% of the persons in charge of the devices stated that they mitigated or will mitigate the problem. We confirmed their actions via a followup scan for vulnerable devices and found that measures were taken for 58% of the devices when we could reach the persons in charge of the device.

show abstract