The year 2023 has seen a surge of over 700 advertisements on the dark web offering Distributed Denial of Service (DDoS) attacks through Internet of Things (IoT) devices, suggests a new report by Kaspersky.
These services come at varying price points, depending on factors like DDoS protection and verification on the target’s end, ranging from $20 per day to $10,000 a month. On average, these services cost around $63.50 per day or $1350 per month.
The dark web also serves as a hub for exploits targeting zero-day vulnerabilities in IoT devices and bundled IoT malware complete with infrastructure and tools.
In the realm of IoT malware, numerous strains exist, many originating from the infamous 2016 Mirai malware.
Competition among cyber-criminals has prompted the development of features to counter rival malware. These tactics encompass implementing firewall rules, turning off remote device management and terminating processes associated with competing malware.
The primary method of infecting IoT devices remains brute-force attacks on weak passwords, followed closely by exploiting vulnerabilities in network services. Brute force attacks, predominantly targeting the unencrypted Telnet protocol, enable hackers to gain unauthorized access by cracking passwords, allowing them to execute commands and deploy malware.
In the first half of 2023, Kaspersky’s honeypots recorded that nearly 98% of password brute-force attempts focused on Telnet, with only 2% on SSH. These attacks were primarily linked to China, India and the United States, with China, Pakistan and Russia being the most active culprits.
Moreover, IoT devices face vulnerabilities from exploits in the services they use. These attacks involve executing malicious commands by exploiting vulnerabilities in IoT web interfaces, leading to dire consequences such as spreading malware like Mirai.
Yaroslav Shmelev, a Kaspersky security expert, urged vendors to prioritize cybersecurity for both consumer and industrial IoT devices.
“The IoT world is filled with cyber dangers, including DDoS attacks, ransomware and security issues in both smart home and industrial devices,” Shmelev said. “Kaspersky’s report stresses the need for a responsible approach to IoT security, obliging vendors to enhance product security from the get-go and proactively protect users.”