‘Reaper’ Botnet Wreaking Havoc On Millions of Devices

The lyric “don’t fear the reaper” is notably misleading when that personified force is actually a botnet capable of disabling web services in a widespread DDoS attack.

The latest botnet threat, dubbed “Reaper” by researchers at Netlab360, has already synced into one to two million web-enabled devices.

Although estimates differ slightly as to the size of the botnet “zombie” force at this stage – with infected computers hungry for more cyber prey – researchers are saying the crippling force could exceed the Mirai IoT botnet which affected top-tier websites in October 2016.

Mirai took down major U.S. sites, including Netflix, Twitter and the New York Times, preying on default passwords on IP cameras and various routers.

Yet the threat to smart devices in the IoT sphere seems even more menacing with Reaper, also called “IoTroop,” which reportedly has the ability to administer sophisticated software-hacking strategies to break into enabled devices.

Wyndham Worldwide Corporation’s Vice President of Cybersecurity, Eric Brohm, told Cyber Security Hub that the botnet is “currently building its footprint throughout the Internet.” Chances are, it will not stop there.

Reaper victims include: webcams, security cameras and digital video recorders (DVRs), which, if unprotected, could add to the botnet’s horde.

In a statement, Paul Lipman, the CEO of cybersecurity company BullGuard, said, “The industry must wake up and address this issue. Taking down websites may seem relatively innocuous, but Reaper has the potential to cause massive amounts of damage…”

See related: Equifax Breach: 'This Will Continue, And Only Get Worse'

Aside from its more sophisticated tactics, Reaper reportedly injects its malicious code into vulnerable devices, leaving it susceptible to commands from the botnet controller. This process subsequently repeats upon the discovery of other vulnerable devices.

Conversely, Reaper is reportedly not as aggressive as Mirai, meaning it has the potential to fly under the radar even further, so to speak. What’s more, with Mirai, the infection was no longer potent after a system reboot.

Netlab has also said that the botnet’s efficacy has grown in recent weeks, making it more difficult and complex to defeat. One estimate places 10,000 devices under a single control server on the botnet.

Thus far, there has been no DDoS attack stemming from the botnet, although researchers assume it can be simply amassing its army. The Reaper, then, could even affect major fields, such as the electric grid, as IoT devices with access to “flip-switch” electric components could be utilized to inflict harm, in tandem.

On this Reaper threat, Brohm told Cyber Security Hub, “At some future time, either when the attackers feel that the botnet has reached critical mass for accomplishing significant interruption, or perhaps when they have a specific list of targets identified, they will ‘flip the switch’ and we will begin to see these victimized devices fire off volumes of traffic, performing a distributed denial of service (DDoS) attack.”

At this point, it remains a guessing game as to what target the botnet has in its crosshairs. It appears likely it could hold high-end organizations for ransom.

What is a possible solution to this worm-like plague?

For one, it could be a simple patch or manually unplugging and/or disconnecting devices.

While the Reaper’s threat is wholly troublesome, the issue appears to be far more systemic, as well. In assessing 310,000 home networks, BullGuard’s IoT scanner showed that nearly 14,000 devices were vulnerable – to threats like the current botnet. Applied to a wider sample, that could mean 378 million vulnerable devices.

If the number of devices connected to the web increases to 20 billion by 2020, some 900 million devices could be at risk – if those numbers hold true.

See related: Which Day Is Your Enterprise Being Hacked?

For the enterprise specifically, these same mechanisms are still applicable.

Brohm added, “With the botnet utilizing known, published vulnerabilities to propagate, ensuring devices within your network have the latest firmware and patches installed can help slow this attack down.”

Yet, for the enterprise, the patch repair system seems to be lagging. On the matter, Brohm said, “Unfortunately, while patching workstations and servers is often done, IoT-type devices have yet to work their way into most patching programs within companies. Attacks like this will hopefully accelerate having IoT devices brought into the scope of regular patching.”

As IoT devices proliferate, then, so must the anti-virus technologies and practices. The threat of cyber attacks to the enterprise is real, as evidenced by the Mirai 2016 incident. So, CISOs must be conscious of ongoing or imminent hazards. Also, both manual and digital solutions are applicable in the case of the Reaper – a simple disconnect or reboot on IoT devices could disable, or at least cripple the death-bringing force known as the Reaper/IoTroop.

Find out more about cybersecurity and its impact on the enterprise by clicking here.