The Hunt for IoT: The Growth and Evolution of Thingbots Ensures Chaos

IoT attacks show no signs of decreasing while infected IoT devices go un-remediated, and discovery of new thingbots is at a decade-long high.
March 13, 2018
39 min. read

Executive Summary

F5 Labs, in conjunction with our data partner Loryka, has been tracking “The Hunt for IoT” for two years. We have focused our hunt primarily around port 23 telnet brute force attacks—the “low-hanging fruit” method—as they are the simplest, most common way to compromise an IoT device. (Telnet was also the most prominent attack type when we started this research series.)

We think the low-hanging IoT fruit are in their last season of picking as we have been seeing attackers use other methods to compromise IoT devices for at least a year now. These other methods are equally easy from a technical standpoint. They just require a few more steps in the attack plan, and also affect fewer devices as they target non-standard ports and protocols, specific manufacturers, device types, or models.

For example, at least 46 million home routers are vulnerable to a remote command injection attack against the custom remote management protocols TR-069 and TR-064. These protocols were created for ISPs to manage their routers deployed at customer homes and were exploited by the Annie thingbot, causing widespread outages for customers of the German ISP Deutsche Telekom and Ireland’s Eircom.* Annie is one of five (Annie, Persirai, Satori, Masuta, and Pure Masuta) spin-off thingbots created with various parts of Mirai, only two of which (Persirai and Satori) attack telnet to initially exploit devices.


We have already witnessed attackers evolving their methods and markets for making money with compromised IoT devices, just like legitimate businesses and financial markets do, and IoT is a rich, trillion-dollar market based on IDC’s estimations for 2020,* ripe with vulnerable devices waiting to be exploited. Every expectation should be set that attackers will continue targeting IoT devices.

Moving forward in the hunt for IoT, it will be a competition among attackers to find IoT vulnerabilities, compromise those devices, and build the strongest thingbot—much like we see today with traditional IT infrastructure.

Regardless of when the easy pickings end, the volume of telnet brute force attacks launched between July 1 and December 31, 2017, maintained levels equivalent to what we saw before and after Mirai. In context, the telnet attacks we have been reporting on have built Remaiten, Mirai, Hajime, and Brickerbot (vigilante thingbots created to take out devices that could have been infected by Mirai), IRCTelnet, Satori, Persirai, Reaper and Hide ‘N Seek.* The telnet attacks we publish do not cover the whole IoT attack spectrum, yet they are enough to create nine sizable thingbots capable of massive destruction or surveillance, with room to create more thingbots we don’t know about yet.

The thingbot discovery timeline shows the evolution of the hunt for IoT through the discovery of thingbots over the past decade, their protocol exploit methods, the devices they target, and the attacks they launch.

Our research shows that there are new threat actor networks and IP addresses continually joining the IoT hunt, and there are consistent top threat actors over time—perhaps using favored networks. Networks that allow attackers to do whatever they want with little to no involvement (bulletproof hosting providers) or have limited ability to detect and respond to abuse (residential IoT devices in telecom networks). What’s more interesting is the pattern created by the count of attacks by IP address and the count of IP addresses used inside networks. The pattern is too clean to be random. It appears calculated and automated. In the same way the networks being used are intentionally picked, the number of systems and IP addresses used within those networks (and the number of attacks they launch) are calculated to avoid detection, and it’s all automated with the same code. We haven’t pinpointed the threat actors, but we see their strategy in action.

Below is a summary of our key findings based on data collected from July through December 2017:

  • Telnet brute force attacks against IoT devices rose 249% year over year (2016–2017).
  • 44% of the attack traffic originated from China, and from IP addresses in Chinese networks that were top threat actor networks in prior reports. Behind China in total attack volume was the U.S., followed by Russia.
  • We have consistently seen the same attacking IP addresses and networks over the span of our two-year research, proving that this abusive traffic is either not being detected, or it’s being allowed. Because of this, we have published the top 50 attacking IP addresses.
  • The destinations of attack traffic span the globe, presumably without bias. Wherever vulnerable IoT infrastructure is deployed, attackers are finding it. The most attacked countries were the U.S., Singapore, Spain, and Hungary.
  • Attackers have already begun to use other methods of finding and compromising IoT devices, which we will profile in future reports.
  • Despite broad awareness of Mirai, it’s growing in size. From June to December 2017, it grew significantly in Latin America and moderately in Europe and Asia.
  • Persirai has slightly declined in size over the last six months, most notably in India and Central Asia.

To see the full version of this report, click “Download” below.


Join the Discussion
Authors & Contributors
Sara Boddy (Author)
Justin Shattuck (Author)

* For citations, please see the full PDF version of this report.

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read