The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Desde o surto do malware IoT “Mirai”, ocorreram vários incidentes nos quais dispositivos IoT foram infectados com malware. O malware tem como alvo dispositivos IoT cujos serviços Telnet e SSH são acessíveis pela Internet e cujas configurações de ID/senha não são fortes o suficiente. Também são conhecidas várias famílias de malware de IoT, incluindo Mirai, que restringem o acesso ao Telnet e outros serviços para evitar que os dispositivos sejam infectados por outro malware após a infecção. No entanto, dezenas de milhares de dispositivos no Japão ainda podem acessar serviços Telnet pela Internet, de acordo com os resultados da verificação de rede. Isso implica que esses dispositivos podem evitar a infecção por malware definindo senhas fortes o suficiente e, portanto, não podem ser usados como trampolim para ataques cibernéticos? Em fevereiro de 2019, iniciamos o projeto Operação Nacional Rumo a um Ambiente Limpo de IoT (NOTICE) no Japão para investigar dispositivos IoT com credenciais fracas e notificar os usuários dos dispositivos. Neste estudo, analisamos os resultados do projeto NOTICE de fevereiro de 2021 a maio de 2021 e os resultados do monitoramento em larga escala da darknet para revelar se os dispositivos IoT com credenciais fracas estão infectados com malware ou não. Além disso, analisamos os dispositivos IoT com credenciais fracas para descobrir os fatores que impedem que esses dispositivos sejam infectados por malware e para avaliar o risco de abuso para ataques cibernéticos. A partir dos resultados da análise, descobriu-se que aproximadamente 2,000 dispositivos podem ser facilmente logados usando credenciais fracas em um mês no Japão. Esclarecemos também que nenhum dispositivo está infectado com malware Mirai e suas variantes devido à falta de funções utilizadas para infecção por malware, excluindo apenas um host. Finalmente, mesmo os dispositivos logados pelo projeto NOTICE não estão infectados com Mirai, descobrimos que pelo menos 80% e 93% dos dispositivos podem executar scripts arbitrários e enviar pacotes para destinos arbitrários, respectivamente.
Kosuke MURAKAMI
National Institute of Information and Communications Technology,KDDI Research Inc.
Takahiro KASAMA
National Institute of Information and Communications Technology
Daisuke INOUE
National Institute of Information and Communications Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copiar
Kosuke MURAKAMI, Takahiro KASAMA, Daisuke INOUE, "A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials" in IEICE TRANSACTIONS on Information,
vol. E106-D, no. 9, pp. 1316-1325, September 2023, doi: 10.1587/transinf.2022ICT0001.
Abstract: Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2022ICT0001/_p
Copiar
@ARTICLE{e106-d_9_1316,
author={Kosuke MURAKAMI, Takahiro KASAMA, Daisuke INOUE, },
journal={IEICE TRANSACTIONS on Information},
title={A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials},
year={2023},
volume={E106-D},
number={9},
pages={1316-1325},
abstract={Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.},
keywords={},
doi={10.1587/transinf.2022ICT0001},
ISSN={1745-1361},
month={September},}
Copiar
TY - JOUR
TI - A Large-Scale Investigation into the Possibility of Malware Infection of IoT Devices with Weak Credentials
T2 - IEICE TRANSACTIONS on Information
SP - 1316
EP - 1325
AU - Kosuke MURAKAMI
AU - Takahiro KASAMA
AU - Daisuke INOUE
PY - 2023
DO - 10.1587/transinf.2022ICT0001
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E106-D
IS - 9
JA - IEICE TRANSACTIONS on Information
Y1 - September 2023
AB - Since the outbreak of IoT malware “Mirai,” several incidents have occurred in which IoT devices have been infected with malware. The malware targets IoT devices whose Telnet and SSH services are accessible from the Internet and whose ID/Password settings are not strong enough. Several IoT malware families, including Mirai, are also known that restrict access to Telnet and other services to keep the devices from being infected by other malware after infection. However, tens of thousands of devices in Japan can be still accessed Telnet services over the Internet according to network scan results. Does this imply that these devices can avoid malware infection by setting strong enough passwords, and thus cannot be used as a stepping stone for cyber attacks? In February 2019, we initiated the National Operation Toward IoT Clean Environment (NOTICE) project in Japan to investigate IoT devices with weak credentials and notify the device users. In this study, we analyze the results of the NOTICE project from February 2021 to May 2021 and the results of the large-scale darknet monitoring to reveal whether IoT devices with weak credentials are infected with malware or not. Moreover, we analyze the IoT devices with weak credentials to find out the factors that prevent these devices from being infected with malware and to assess the risk of abuse for cyber attacks. From the results of the analysis, it is discovered that approximately 2,000 devices can be easily logged in using weak credentials in one month in Japan. We also clarify that no device are infected with Mirai and its variants malware due to lack of functions used for malware infection excluding only one host. Finally, even the devices which are logged in by NOTICE project are not infected with Mirai, we find that at least 80% and 93% of the devices can execute arbitrary scripts and can send packets to arbitrary destinations respectively.
ER -