The botnet, which has been linked to IoTroop/Reaper, is similar to Mirai in being comprised of a large number of unsecured home routers, TVs, DVRs, and IP cameras.
The linked malware can exploit a dozen vulnerabilities in these consumer-grade devices to hijack and conscript them, and is capable of being updated as new flaws are discovered, according to Recorded Future.
Targeted manufacturers include TP-Link, Avtech, MikroTik, Linksys, Synology and GoAhead.
IoTroop is particularly dangerous in that it was built using the flexible Lua engine, so its code can be updated on the fly, meaning existing botnets can run new attacks as soon as they’re available, the report said.
The new DDoS campaign hit three financial institutions in January, using at least 13,000 compromised devices and peaking at 30Gb/s.
The spread of device manufacturers indicates a rapidly evolving botnet which can take advantage of newly discovered vulnerabilities in IoT devices, the report claimed.
“Our analysis shows that the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers, with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL,” it added.
“We also discovered webcams, TVs, and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link, and Dahua.”
It’s not just consumer devices that are at risk of compromise here. A new study this week claimed that 2.7m UK businesses may be exposing themselves by not updating passwords or security patches on IoT endpoints.
“These attacks highlight the ongoing threat of DDoS to the financial sector from continuously evolving botnets,” said Recorded Future. “The similarity in device composition with the IoTroop/Reaper botnet suggest IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector.”