Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

C&C Panels of 10 IoT Botnets Compromised by Researchers

At the Virus Bulletin Conference last week, two security researchers explained how they were able to compromise the command and control (C&C) panels of 10 Internet of Things (IoT) botnets.

At the Virus Bulletin Conference last week, two security researchers explained how they were able to compromise the command and control (C&C) panels of 10 Internet of Things (IoT) botnets.

The researchers, Aditya K. Sood and Rohit Bansal of SecNiche Security Labs, revealed at the online conference that they were able to access the C&C panels of the Mana, Vivid, Kawaii, Verizon, Goon, 911-Net, Purge Net, Direct, 0xSec, and Dark botnets.

According to Sood and Bansal, possible approaches to such compromise would first involve mapping the remote servers that are distributing binaries, or extracting the binaries dropped onto compromised IoT devices, and then extracting the hardcoded IP addresses from these files, to learn where those panels are located.

However, it is also possible to extract artefacts from network traffic, including IP addresses, or even extract C&C information from malicious processes running on the compromised devices (effective if the address is generated on the fly).

One other approach involves mass scanning the Internet for potentially suspicious IoT devices, finding exposed administrative interfaces and attempting to compromise them to extract information on C&C servers. Scanning for remote servers based on known indicators is also possible.

The next step after identifying the attacker’s server is accessing the C&C panel, which can be done through the frontend admin interface by brute-forcing credentials. Access can also be obtained by compromising a backend database to gain access to administrative credentials, finding and exploiting vulnerabilities in the C&C panel, or using cracked credentials, the researchers said.

IoT botnet C&C panel

In the event that the C&C interface cannot be breached, one could also attempt to crash the server, or kill it. By analyzing the source code of botnet malware, such as that for Mirai, which is available online, one could identify the buffer allocation for various functions, discover vulnerable ones to trigger overflows, craft a buffer and then send it to the target to see if the crash happens.

At the VB 2020 conference, the two researchers revealed that they used these approaches to access the C&C panels of the aforementioned IoT botnets, which then allowed them to learn more about the capabilities of these threats and the manner in which they are operated.

Advertisement. Scroll to continue reading.

They obtained information on the commands supported by the botnets, the various options available for administrators, including those employed for launching distributed denial of service (DDoS) or similar attacks, as well as the similarities and differences between the different panels.

The two researchers also detailed specific techniques which, they say, could be used to create additional attack scenarios, not only to hack back at IoT botnets, but also to build defensive measures against them.

In fact, they argue, compromising these C&C panels is highly important for gathering threat intelligence and building defenses against IoT botnets, pointing out that otherwise it would be difficult to understand how exactly the botnets operate.

Related: Black Hat Wrap-Up: IoT and Hardware Vulnerabilities Take the Spotlight

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...