Multiple stories published here over the past few weeks have examined the tumultuous power of hacked “Internet of Things” (IoT) devices like routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they participate in a number of other types of cybercriminal action — from frequenting subterranean newsgroups to credit card and tax refund fraud.
Lately, I discovered from a cybersecurity research worker who had created a virtual “honeypot” surroundings designed to mimic hackable IoT devices. The source, who requested to remain anonymous, said his honeypot shortly started seeing traffic destined for Asus and Linksys routers running default credentials.
My source grabbed a copy of the malware, assessed it, and discovered it had two basic functions: To announce to some Internet addresses hard-coded in the malware a registration “I’m here” beacon; and to listen for incoming commands, like scanning for new exposed hosts or running added malware. He then wrote a script to simulate the hourly “I’m here” beacons, interpret any “download” commands, and then execute the download and “run” commands.
The researcher found that the malware being pushed to his honeypot system was designed to turn his faux infected router into a “SOCKS proxy server,” basically a host designed to route traffic between a client and a server. Most frequently, SOCKS proxies are used to anonymize communications because they can help obfuscate the true source of the client which is using the SOCKS server.
- Using a custom tool that allows the consumer to intercept (a.k.a. “guy-in the middle”) encrypted SSL traffic, the researcher was able to gather the inherent encrypted data passing through his SOCKS servers and decrypt it.
- What he discovered was that all of the systems were being used for a number of badness, from proxying Web traffic destined for cybercrime newsgroups to testing stolen credit cards at retailer Web sites.
- Sadly, this kind of criminal proxying is hardly new. Criminals have already been using hacked PCs to proxy their traffic for eons. KrebsOnSecurity has featured numerous stories about cybercrime services that sell access to hacked computers as a way of helping burglars anonymize their nefarious activities online.
And while the task that my source observed with his honeypot project targeted ill-secured Internet routers, there isn’t any reason the exact same type of proxying could not be done via other default option-insecure IoT devices, such as for instance Internet-based security cameras and digital video recorders.
Indeed, my guess is that this really is precisely how these other kinds of hacked IoT devices are being used right now (in addition to being pressured to participate in starting tremendous denial-of-service attacks against targets that offenders want to knock offline).
“In a way, this feels like 1995-2000 with computers,” my source told me. “Devices were getting online, antivirus was not as common, and folks didn’t understand an ordinary individual’s computer could be enslaved to do something else. The difference now is, how many vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom applications. Plus, what one man does can be easily shared to some little group or to the complete world.”