Incident: IoT Reaper Botnet: Advanced IoT Devices Hacked for Potential DDoS

Published Date: 2017-10-20

Postmortem Analysis
Timeline 1. The software failure incident involving the Reaper botnet was reported in the article published on 2017-10-20 [64130]. Therefore, the software failure incident with the Reaper botnet occurred in October 2017.
System 1. IoT devices including routers from D-Link, Netgear, and Linksys, and internet-connected surveillance cameras from companies like Vacron, GoAhead, and AVTech [64130].
Responsible Organization 1. The Reaper malware, which is a new IoT botnet threat that evolved from Mirai and uses software-hacking techniques to break into devices [64130].
Impacted Organization 1. IP cameras and internet routers were impacted by the software failure incident [64130].
Software Causes 1. The software causes of the failure incident were the exploitation of known security flaws in IoT devices by the IoT Troop or Reaper botnet, using an array of compromise tools to break into devices [64130].
Non-software Causes 1. Lack of patching by most consumers for their home network routers and surveillance camera systems [64130].
Impacts 1. The software failure incident led to widespread outages impacting IP cameras and internet routers, causing much of the internet to be inaccessible in parts of the US and beyond [64130]. 2. The incident resulted in the creation of a new botnet threat known as IoT Troop or Reaper, which has infected a significant number of devices on a million networks and counting [64130]. 3. The Reaper malware has infected 60 percent of the networks tracked by Check Point, with millions of devices queued to be added to the botnet [64130]. 4. The potential impacts of the incident include the ability for the botnet to unleash a serious threat through DDoS attacks, similar to the attack on Dyn that wiped major targets off the internet [64130]. 5. The incident has raised concerns about the ability of the botnet to shift its tactics at any time, potentially weaponizing hijacked routers and cameras for malicious purposes [64130].
Preventions 1. Regularly updating and patching IoT devices to fix known security vulnerabilities could have prevented the software failure incident [64130]. 2. Changing default passwords on IoT devices to strong, unique passwords could have prevented the software failure incident [64130]. 3. Performing network analysis to check for communication with command-and-control servers of potential malware could have helped prevent the software failure incident [64130].
Fixes 1. Updating affected devices with available patches to fix known security flaws in the code [64130]. 2. Performing a factory reset on the firmware of affected devices to wipe out the malware [64130]. 3. Conducting network analysis to check if devices are communicating with the command-and-control server administering the botnet [64130].
References 1. Chinese security firm Qihoo 360 2. Israeli firm Check Point 3. Maya Horowitz, manager of Check Point’s research team 4. McAfee

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to the Reaper botnet is a new threat that has evolved from the Mirai botnet. While Mirai exploited devices with weak or default passwords, Reaper uses known security flaws in the code of insecure machines to break into devices [64130]. (b) The Reaper botnet incident is a new threat that has similarities to the Mirai botnet but with more sophisticated tools. It has the potential to become even larger and more dangerous than Mirai. Reaper has infected fully 60 percent of the networks tracked by Check Point, and millions of devices are queued in the hackers' code, waiting to be added to the botnet [64130].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the evolution of the IoT botnet threat known as IoT Troop or Reaper. Unlike the Mirai botnet that primarily exploited weak or default passwords, Reaper utilizes actual software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. (b) The software failure incident related to the operation phase is highlighted by the fact that many consumers are not in the habit of patching their home network routers or surveillance camera systems, leaving them vulnerable to malware infections like Reaper. Check Point found that 60 percent of the networks it tracks have been infected with the Reaper malware, indicating a failure in the operation or maintenance of these devices by users [64130].
Boundary (Internal/External) within_system (a) within_system: The software failure incident discussed in the articles is primarily within the system. The incident involves the emergence of a new botnet threat known as IoT Troop or Reaper, which utilizes software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. This indicates that the failure is a result of vulnerabilities and weaknesses within the system itself, allowing the malware to infect and spread through devices. (b) outside_system: The software failure incident does not seem to be primarily due to contributing factors originating from outside the system. The focus is on how the botnet, Reaper, leverages software-hacking techniques and exploits within devices to spread, rather than external factors causing the failure [64130].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in the articles is related to non-human actions. The incident involves the emergence of a new botnet threat known as IoT Troop or Reaper, which utilizes software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. This botnet is different from previous ones like Mirai, which primarily exploited weak or default passwords. The Reaper malware has the capability to recruit a large number of IoT devices into its network, potentially leading to widespread impacts without direct human involvement.
Dimension (Hardware/Software) software (a) The software failure incident discussed in the articles is primarily related to software rather than hardware. The incident involves a new botnet threat known as IoT Troop or Reaper, which utilizes software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. The Reaper malware has evolved from previous botnets like Mirai and uses a variety of IoT hacking techniques to infect devices, such as routers and surveillance cameras, through software vulnerabilities [64130]. (b) The software failure incident is directly attributed to software-related factors. The Reaper botnet, unlike its predecessor Mirai, employs software-hacking techniques to compromise devices by exploiting vulnerabilities in their software code [64130]. The malware uses an array of compromise tools to infect devices and spread itself further, showcasing a shift from merely guessing passwords to actively exploiting software flaws in IoT devices [64130].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. The incident involves the emergence of a new botnet threat known as IoT Troop or Reaper, which utilizes actual software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. The Reaper malware has evolved from previous botnets like Mirai and has the potential to recruit a large number of devices into its network, posing a serious threat to potential DDoS targets globally. The malware includes a Lua-based software platform that allows for the downloading of new code modules to infected machines, indicating a deliberate effort to weaponize hijacked routers and cameras for potential DDoS attacks [64130]. The sophistication and capabilities of the Reaper botnet suggest a malicious intent to cause harm to systems and potentially create chaos or target specific industries through DDoS attacks [64130].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to the Reaper botnet can be attributed to poor decisions made by the owners of IoT devices who failed to patch their devices and secure them properly. The incident highlights the consequences of not addressing known security vulnerabilities in IoT devices, allowing the botnet to exploit these weaknesses and grow rapidly [64130]. (b) The software failure incident can also be linked to accidental decisions or unintended consequences resulting from consumers not being in the habit of patching their home network routers and surveillance camera systems. This lack of awareness or action on the part of consumers inadvertently contributed to the spread of the Reaper malware, showcasing the impact of unintentional decisions on cybersecurity [64130].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the case of the IoT botnet known as Reaper. Unlike the Mirai botnet, which primarily exploited weak or default passwords on devices, Reaper evolved to use actual software-hacking techniques to break into devices by exploiting known security flaws in the code of insecure machines [64130]. This shift in strategy indicates a higher level of sophistication and competence in the development of the malware, showcasing a more advanced approach to compromising IoT devices. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration temporary The software failure incident described in the articles is more aligned with a temporary failure rather than a permanent one. The incident involving the Reaper botnet is characterized by the malware infecting devices and waiting for a piece of automatic "loader" software to add them to the botnet, indicating an ongoing process of spreading and potential activation of the malware [64130]. Additionally, the article mentions that Reaper has not shown signs of any DDoS activity yet, but it includes a platform that allows for new code modules to be downloaded to infected machines, suggesting a potential shift in tactics at any time [64130]. These aspects point towards a temporary nature of the failure, where the malware is actively evolving and potentially preparing for future malicious activities.
Behaviour omission, value, byzantine (a) crash: The articles do not mention any specific instance of a system crash where the system loses state and does not perform any of its intended functions. (b) omission: The articles discuss the failure of IoT devices to receive patches and updates, leading to the omission of performing the intended function of being secure against malware like Reaper. Many consumers are not in the habit of patching their home network routers and surveillance camera systems, leaving them vulnerable to being infected by the malware [64130]. (c) timing: The articles do not mention any specific instance of a timing failure where the system performs its intended functions but at the wrong time. (d) value: The failure of the IoT devices to resist the Reaper malware due to known security flaws in their code can be categorized as a value failure. The devices are not performing their intended function of being secure against hacking attempts [64130]. (e) byzantine: The behavior of the Reaper malware, which uses various hacking techniques to infect IoT devices and create a botnet, can be considered a byzantine failure. The malware behaves in an erratic and inconsistent manner, exploiting vulnerabilities in different devices to spread itself further [64130]. (f) other: The articles do not mention any other specific behavior of the software failure incident that does not fall into the categories of crash, omission, timing, value, or byzantine.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) [64130] The software failure incident described in the article did not directly result in physical harm, death, or impact on basic needs like food or shelter. However, it did have consequences related to property as people's material goods, such as IoT devices like routers and surveillance cameras, were impacted by the Reaper malware. The malware infected a significant number of devices, potentially compromising users' data and control over their devices. (e) unknown (f) [64130] The software failure incident impacted non-human entities, specifically IoT devices like routers, surveillance cameras, and other connected gadgets. These devices were infected by the Reaper malware, which aimed to recruit them into a botnet for potential malicious activities like DDoS attacks. (g) unknown (h) unknown (i) unknown
Domain information (a) The software failure incident discussed in the article is related to the information industry. The incident involves a new botnet threat known as IoT Troop or Reaper, which targets IoT devices such as IP cameras and internet routers by exploiting known security flaws in their code [64130]. The botnet has the potential to recruit a large number of devices into its network, posing a significant threat to the security and stability of the internet and information systems.

Sources

Back to List