Thingbots and Reapers and Cryptominers—Oh, My! F5 Labs’ First Year in Review

We’re celebrating our one-year anniversary here at F5 Labs, the application threat intelligence division of F5! Although F5 researchers have been providing threat-related, F5-specific guidance to our customers for many years through DevCentral, the time was right a year ago today to launch a dedicated website that provides the general public with vendor-neutral, application-focused, actionable threat intelligence—actionable being the operative word. In the past year, our team of expert threat researchers, analysts, evangelists, and guest authors have shared their insights in more than 100 blogs and articles, and a half-dozen or so in-depth reports. Here are just some of the highlights from 2017.

F5 Labs Exclusive Reports

In Using F5 Labs Application Threat Intelligence, principal threat research evangelists Ray Pompon and Sara Boddy explain what application-focused threat intelligence really is (or should be), why you desperately need it in today’s threat-ridden world, and how to use it to stop attackers in their tracks early—before your organization gets breached. This is a foundational report for those who want to understand threat intelligence better.

Lessons Learned from a Decade of Data Breaches. Written by Sara Boddy and Ray Pompon, this comprehensive report looks at 433 breach cases spanning 12 years to discover how attackers are breaching organizations. Turns out that 86% of breaches start with application or user identity attacks. Organizations must shift their security efforts to protecting these targets, or a breach is inevitable sometime in their future (it’s no longer a question of “if” but “when”).

The Hunt for Internet of Things (IoT) report series. IoT devices are quickly becoming attackers’ “cyberweapon delivery system of choice.” Defending against IoT botnet (“thingbot”) attacks begins with understanding who’s on “the hunt” for vulnerable devices, so that’s where our reports focus:

• DDoS’s Newest Minions: IoT Devices tracks the huge upsurge in SSH and Telnet brute force scans in 2015 and 2016, leading F5 researchers to predict the Mirai botnet long before others did. The report serves as a wake-up call to everyone that IoT devices are highly vulnerable and susceptible to attack.
• The Networks Building Death Star-Sized Botnets from IoT Minions notes an astounding 1,373% growth in the hunt for vulnerable IoT devices and names the networks involved in the hunt. This data supports our earlier prediction that massive botnets like Mirai were being built and already attacking.
• The Rise of Thingbots tracks the progression of the Mirai and Persirai IoT botnets, which we dubbed “thingbots” since they are built entirely out of IoT devices. With attacks continuing to rise and billions of devices flooding the market, IoT devices are destined to become the attacker infrastructure of the future.

Volumes 1, 2, and 3

The TLS Telemetry Report. If you’re not a cryptography geek, our resident crypto-geek and principal threat research evangelist, David Holmes, might turn you into one with this report! He discusses current SSL/TLS trends, the pitfalls of self-signed certificates, and trends driving forward secrecy. He even includes a “server smackdown,” comparing the relative safety of today’s most popular web servers.

Ray Pompon tackles one of today’s most rampant security threats in his report, Phishing: The Secret of its Success and What You Can Do to Stop It. Learn how easy we make it (thanks in large part to social media and social networking sites) for phishers to bait their hooks and dupe even the savviest of users.

Threats, Vulnerabilities, Botnets, and Attacks

• When attackers can make good money mining cryptocurrency, why wouldn’t they use compromised systems to do that? F5 Labs closed out 2017 with two different pieces about Monero miners, both discovered by F5 researchers Maxim Zavodchik, Liron Segal, and Aaron Brailsford:
  • PyCryptoMiner is a new Linux-based Monero miner that spreads via SSH and keeps itself alive by using Pastebin to publish new C&C addresses.
  • Zealot is a new Apache Struts campaign that uses leaked NSA exploits EternalBlue and EternalSynergy to mine Monero on internal networks.
• And because we’re big on debating the pros and cons of cryptocurrency behind the scenes at F5 Labs, we published a bit of friendly point-counterpoint between David Holmes with his article, Five Reasons the CISO is a Cryptocurrency Skeptic—Starting with Bitcoin, and Justin Shattuck’s and Ray Pompon’s counterpunch piece, Five Reasons CISOs Should Keep an Open Mind about Cryptocurrencies.
• In 2017, banking trojans expanded their targets beyond banks to include payment processors and CRMs, wealth management services, Android apps, social media and email, however, none made a more drastic shift than Ramnit. Over the 2017 holiday season, 64% of Ramnit’s targets were major eCommerce retailers like Amazon.com, Best Buy, Forever 21, Gap, Zara, Carter’s, OshKosh B’gosh, Macy’s, Victoria’s Secret, H&M, Overstock.com, Toys“R”Us, Zappos, and others. We expect this shift in targets to continue as banks mature their web fraud detection capabilities.
• Thingbots…thingbots…thingbots…. We track their development in our IoT "hunt” reports, so it’s only natural that we write about new discoveries or significant updates. Our research on Reaper, a reconnaissance thingbot based on portions of Mirai code, indicated it could easily grow to 3.5 million devices if its authors were to include a few dozen existing vulnerabilities that fit Reaper’s device-targeting profile. And, speaking of Mirai—because it began rearing its ugly head again during the holidays, we decided to out its command and control servers.
• F5 Labs offered more than half a dozen tips for combatting WannaCry, the fast-spreading ransomware that utilizes an EternalBlue exploit. We did the same with WannaCry’s Linux counterpart, SambaCry, providing need-to-know facts, assessing the seriousness of the threat, and outlining mitigation actions.

Keeping Tabs on Hackers

An essential element of threat intelligence is understanding hackers—who they are, how they work, and what their motivations are. Here are a few enlightening pieces from 2017.

• Russian Hackers, Face to Face has Ray Pompon recalling a half-dozen Russian hacking cases of years past and recounting his role in the FBI’s “Operation Flyhook” sting operation that brought down infamous Russian hackers and cyber-extortioners, Alexey Ivanov and Vasiliy Gorshkov.
• In his inimitable way, David Holmes shed light on the dealings and ultimate capture of the infamous hacker, Sabu, a.k.a. Hector Monsegur, in a two-part series called The Real Sabu (Part 1 and Part 2).
• In his blog, BrickerBot: Do “Good Intentions” Justify the Means—or Deliver Meaningful Results, Justin Shattuck, resident IoT threat expert and co-author of F5 Labs’ IoT “hunt” reports, responds to a retirement essay written by self-proclaimed BrickerBot author, the Janit0r. Justin questions the ethics of bricking vulnerable IoT devices, even under the guise of helping rid the Internet of this scourge.

Thought Leadership for CISOs

Some of our most engaging articles come from guest authors that include current and former C-level execs, security leaders, and others—all writing on topics of interest to CISOs. Of note are these:

• Wendy Nather, Director, Advisory CISOs at Duo Security, acknowledges the network perimeter’s “imminent demise,” but warns readers Wait, Don’t Throw Out Your Firewalls! just yet.
• In The CISO: a Field Guide, veteran COO Bill Hughes—who has hired several CISOs in his time—takes an entertaining approach to identifying different types of CISOs, including the one (out of six) you really want to hire if you’re lucky enough to find one.
• In Everything is Compromised—Now What?, Jared Reimer, CTO of Cascadeo, outlines four actions security leaders should take in the “assume breach” world we’re all living in now.
• Michael Levin, founder of the Center for Information Security Awareness, advises users how to inoculate themselves against fake news. He also writes frequently for F5 Labs about security awareness training.
• Kyle Robinson, a senior manager in Grant Thornton’s Risk Advisory Services practice, outlines The Six Most Common Audit Failures, not the least of which is simply trying to make an auditor happy rather than being committed to managing risk on an ongoing basis and incorporating that attitude into the organization’s culture.
• Guest authors Jennifer Chermoshnyuk and Matt Beland share their thoughts on invasion of privacy at our country’s borders in their article, Joining Forces with Criminals, Deviants, and Spies to Defend Privacy.

Stay tuned in 2018 as our researchers, analysts, and evangelists help you stay on top of the latest threats and vulnerabilities with actionable threat intelligence. Expect to see updates to the Hunt for IoT and TLS Telemetry reports, and a new, comprehensive, and much-anticipated report on the state of application security.