Future Diary is a Japanese manga series depicting the “Diary Game”. The heroine Mirai (future in Japanese) engages in a deadly battle royal between 12 different recipients of “Future Diaries”. These special diaries can predict the future. The last survivor will inherit the title “God of Space and Time”.
How fitting that Mirai would be the name for one of the most sophisticated botnet malware systems ever developed. Mirai was discovered in the summer of 2016. Since then, it’s been the enabler of the largest and most disruptive ransomware and Distributed Denial of Service (DDoS) attacks.
Yet, Mirai was only the beginning.
Five years have passed, and Mozi has taken the baton from Mirai. It is the descendant of Mirai, using many of its techniques and code while forking into many efforts each with their own attributes.
In 2021, so far there has been a 500% increase in IoT attacks compared to 2020. IBM Security X-Force research has revealed that this spike is driven by Mozi botnets. In 2020, this malware has accounted for 89% of the total IoT attacks of all types detected for the year. Mozi has been active in the last 18 months and continues to rank as the number one most active Mirai-type variant. The Mozi Botnet currently controls approximately 438,000 hosts.
A Mozi equipped attacker will follow several steps. Starting with a reconnaissance search for vulnerable IoT devices, an attacker will follow up with infiltration, then ensure permanence on the device (persistence establishment) and then spread their footprint even further. Once the attacker has established persistent control of the network and has reached the desired scale, the final attack phase is launched. Exfiltrated sensitive data is sold or published. Then all the victim’s systems are encrypted, including all backups, rendering them unusable. That’s when the victim receives the ransomware notice to unlock the system, or an extortion demand to keep sensitive data from the public, or the botnet deployed. At times, all three happen at the same time.
The Mozi Attack Kill Chain
The steps an attacker takes is summarized in the list below:
- Internet scan – attacker searches for exploitable targets using a scanning tool, for example, using the device search Shodan. Targets are identified and prioritized. Gateways and routers are exceptionally prized because they can be used to identify more potential targets.
- Stealthily installed software exploits kits are run to take advantage of weak communication protocols, bad passwords, and other vulnerabilities. Once a vulnerable device has been exploited, the Mozi malware is deployed.
- The device’s file system is modified to enable the malware installation to persist, ensure that even after a device re-boot, Mozi maintains control of the device.
- Persistence is also maintained by blocking communications with (previously) trusted configuration and update servers which blocks remediation efforts.
- Infected gateways are used to intercept and redirect HTTP traffic to ransomware sites, and they are then used as distribution points to attack all the end points in the network.
- Attackers close the trap by either mounting DDoS attacks or demanding a ransom.
Profiting from extortion and network locking:
- Data is exfiltrated, network end points encrypted and made inaccessible. Since all backups have themselves been encrypted, remediation is very difficult.
- The ransom demand is sent.
How Can IoT Networks Defend Against Mozi and Its Heinous Variants?
There will always be tools to find network and device vulnerabilities so it’s not possible to stop the recon stage of an attack. It’s also difficult to protect against infiltration, although good software patching practices and appropriate perimeter defenses will minimize these risks. To really turn the tables on malicious malware, it’s essential that IoT devices are configured properly to not offer the ability to take root – establish persistence – and to ensure it cannot spread further (steps 3 and 4 in the kill chain described above).
By the end of 2021, there will be 31 billion IoT devices deployed worldwide, 125 billion by 2030 according to TechJury.com, an analyst firm. If we don’t enable these devices and networks to protect themselves, they will continue to be an abundant resource for bad actors to create havoc in our daily lives.
Device Authenticity and Data Integrity is an integral part of the solution to this threat.
Device Authenticity and Data Integrity
The authenticity of a device is defined by authenticating the origin of its software (authenticity), the integrity of the data in holds as well as its unique identity and (optionally) rich personality.
Authenticity matters. Does the software come from a known good source, namely the owner of the device or an approved application developer? This is determined using a strong secret, a “private” key, that encrypts the hash. This encrypted hash is called a “digital signature”.
A “public” key that corresponds to that private key is stored in immutable storage on the device. This storage can be as simple as burning it into Read-Only Memory (ROM).
When a device is turned on it runs through a Power On Self Test (POST) of some form. Device Authenticity and Data Integrity are enforced at this stage.
Managing and protecting the integrity and confidentiality of these keys is not a trivial matter. It requires specialists in cryptography and trusted systems to design highly resilient and scalable infrastructures. In order to provide the appropriate keys in devices, expertise in embedded programming, particularly in embedded security architectures, is essential. And finally, distributing keys in a secure way, as well as managing them through to end of life and possible revocation needs, must be provided in a highly available (24x7x365) and persistent way.
It is essential to maintain that known good software is running on a device. This must be done at all levels, from the firmware, the operating system, middleware, protocol stacks, applications to the data that is generated and consumed by the device. A chain of trust that originates in unchangeable (immutable) hardware and links to every other bit of software on the device is also needed.
This is where Public Key Infrastructure offers a system-based approach to trust. All the software on the device must be “digitally signed”, that is, a hash-based fingerprint is generated on the bits that make up the software. This fingerprint is a one-way function that uniquely identifies the bits comprising the software. If even a single bit is changed, then so too is the hash.
Device Identity and Rich Personality
In addition, the device must have a unique identifier that identifies and enforces the device’s appropriate capabilities and permissions. This can be as simple as a unique ID that is used to reference the device on a network.
In some cases, it can be feature-rich and include detailed authorization assertions. For example, a device in a vehicle is configured to only permit charging from particular charge points; or a medical drug delivery device will not exceed pain medication thresholds. These are very powerful capabilities that become more and more important as IoT devices become more intelligent and autonomous.
The New Kill Chain
Mirai introduced a new and very effective way of compromising devices by corrupting their authenticity and data integrity. It spawned many variants, currently the most toxic of which is Mozi, and it has been very effective. To protect the IoT is essential we break the kill chain of malicious software agents and their actors. Public Key Infrastructure and its implementation assuring Device Authenticity and Data Integrity is the best countermeasure to defend against dangerous exploitation of industrial and home networks of things. We ignore it at our peril because without such defense the Future Diary of the IoT will surely be inherited by cybercriminals and other nefarious actors.
Julian Durand is VP of Intertrust Secure Systems and product owner of Intertrust PKI (iPKI). He earned his engineering degree from Carleton University and his MBA from the University of Southern California (USC). He is also a Certified Information Systems Security Professional (CISSP) and inventor with 10 issued patents.