Last week we looked at reports from China and Israel about a new “Internet of Things” malware strain called “Reaper” that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the “Reaper Madness,” saying the actual number of IoT devices infected with Reaper right now is much smaller.

Arbor Networks said it believes the size of the Reaper botnet currently fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time.

Reaper was based in part on “Mirai,” IoT malware code designed to knock Web sites offline in high-powered data floods, and an IoT malware strain that powered most of the largest cyberattacks of the past year. So it’s worrisome to think someone may have just built an army of a million IoT drones that could be used in crippling, coordinated assaults capable of wiping most networks offline.

If criminals haven’t yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so.

“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,” Arbor’s ASERT team wrote, explaining that the coders may have intentionally slowed the how quickly the malware can spread to keep it quiet and under the radar.

Arbor says Reaper is likely being built to serve as the machine powering a giant attack-for-hire service known as a “booter” or “stresser” service.

“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” Arbor wrote. “Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.”

On Thursday I asked Israeli cybersecurity firm Check Point — the source of the one-million Reaper clones claim — about how they came up with the number of a million infected organizations.

Check Point said it knows of over 30,000 infected devices that scanned for additional vulnerable devices.

“We had a prism into these attacks from a data set that only contains a few hundreds of networks, out of which 60% were being scanned,” said Maya Horowitz, a group manager in the threat intelligence division of Check Point. “Thus we assume that the numbers globally are much higher, in at least 1 order of magnitude.”

Reaper borrows programming code from Mirai. But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.

Chinese cybersecurity firm Netlab 360, which published its own alert on Reaper shortly after Check Point’s advisory, issued a revised post on Oct. 25 stating that the largest gathering of Reaper systems it has seen by a single malware server is 28,000. Netlab’s original blog post has links to patches for the nine security flaws exploited by Reaper.

A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned.

There is a program installed on virtually all Dell computers called “Dell Backup and Recovery Application.” It’s designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name — DellBackupandRecoveryCloudStorage.com — which until recently was central to PC maker Dell’s customer data backup, recovery and cloud storage solutions.

Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell’s contractor regained control over it.

The purpose of DellBackupandRecoveryCloudStorage.com is inscribed in the hearts of countless PCs that Dell shipped customers over the past few years. The domain periodically gets checked by the “Dell Backup and Recovery application,” which “enables the user to backup and restore their data with just a few clicks.”

This program comes in two versions: Basic and Premium, explains “Jesse L,” a Dell customer liaison and a blogger on the company’s site.

“The Basic version comes pre-installed on all systems and allows the user to create the system recovery media and take a backup of the factory installed applications and drivers,”Jesse L writes. “It also helps the user to restore the computer to the factory image in case of an OS issue.”

In other words: If DellBackupandRecoveryCloudStorage.com were to fall into the wrong hands it could be used to foist malicious software on Dell users seeking solace and refuge from just such nonsense!

It’s not yet clear how or why DellBackupandRecoveryCloudStorage.com got away from SoftThinks.com —  an Austin, Tex.-based software backup and imaging solutions provider that originally registered the domain back in mid-2013 and has controlled it for most of the time since. But someone at SoftThinks apparently forgot to renew the domain in mid-June 2017.

SoftThinks lists Dell among some of its “great partners” (see screenshot below). It hasn’t responded to requests for comment. Some of its other partners include Best Buy and Radio Shack.

From early June to early July 2017, DellBackupandRecoveryCloudStorage.com was the property of Dmitrii Vassilev of  “TeamInternet.com,” a company listed in Germany that specializes in selling what appears to be typosquatting traffic. Team Internet also appears to be tied to a domain monetization business called ParkingCrew.

If you’re not sure what typosquatting is, think of what sometimes happens when you’re typing out a URL in the browser’s address field and you fat-finger a single character and suddenly get redirected to the kind of content that makes you look around quickly to see if anyone saw you looking at it. For more on Team Internet, see this enlightening Aug. 2017 post from Chris Baker at internet infrastructure firm Dyn. 

It could be that Team Internet did nothing untoward with the domain name, and that it just resold it or leased it to someone who did. But approximately two weeks after Dell’s contractor lost control over the domain, the server it was hosted on started showing up in malware alerts.

That’s according to Celedonio Albarran, assistant vice president of IT infrastructure and security at Equity Residential, a real estate investment trust that invests in apartments.

Albarran said Equity is responsible for thousands of computers, and that several of those machines in late June tried to reach out to DellBackupandRecoveryCloudStorage.com but were prevented from doing so because the Internet address tied to the domain was new and because that address had been flagged by two security firms as pushing malicious software.

On that particular day, anyone visiting DellBackupandRecoveryCloudStorage.com simultaneously would have been heading to the Internet address 54-72-9-51 (I’ve replaced the dots with dashes for safety reasons). Albarran said the first alert came on June 28 from a security tool from Rapid7 that flagged a malware detection on that Internet address.

Another anti-malware product Equity Residential uses is Carbon Black, which on June 28 detected a reason why a Dell computer within the company shouldn’t be able to visit dellbackupandrecoverycloudstorage.com. According to Albarran, that second alert was generated by Abuse.ch, a Swiss infrastructure security company and active anti-abuse advocate.

The domain’s host appears to have been flagged by Abuse.ch’s Ransomware Tracker, which is a running list of Internet addresses and domains that have a history of foisting ransomware — a threat that encrypts your files with tough-to-crack encryption, and then makes you pay for a key to unlock the files.

Albarran told KrebsOnSecurity that his company was never able to find any evidence that computers on its networks that were beaconing home to DellBackupandRecoveryCloudStorage.com had any malware installed as a result of the traffic. But he said his systems were blocked from visiting the domains on June 28, 2017, and that his employer immediately notified Dell of the problem.

“A few weeks after that they confirmed they fixed the issue,” Albarran said. “They just acknowledged the issue and said it was fixed, but they didn’t offer any comment besides that.”

AlienVault‘s Open Threat Exchange says the Internet address that was assigned to DellBackupandRecoveryCloudStorage.com in late June is an Amazon server which is “actively malicious” (even today), categorizing it as an address known for spamming.

Reached for comment about the domain snafu, Dell spokesperson Ellen Murphy shared the following statement:

“A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application, www.dellbackupandrecoverycloudstorage.com, expired on June 1, 2017 and was subsequently purchased by a third party. The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed. Dell discontinued the Dell Backup and Recovery application in 2016.”

I have asked Dell for more information about this incident, such as whether the company knows if any customers were harmed as a result of this rather serious oversight. I’ll update this story in the event that I hear back from Dell.

This is not the first time the failure to register a domain name caused a security concern for a company that should be very concerned about security. Earlier this month, experts noticed that the Web sites for credit bureaus Trans Union and Equifax were both redirecting browsers to popup ads that tried to disguise adware and spyware as an update for Adobe Flash Player.

The spyware episodes at Equifax’s and Trans Union’s Web sites were made possible because both companies outsourced e-commerce and digital marketing to Fireclick, a now-defunct digital marketing product run by Digital River. Fireclick in turn invoked a domain called Netflame.cc. But according to an Oct. 13 story in The Wall Street Journal, Netflame’s registration “was released in October 2016, three months after Digital River ended support for Fireclick as part of an ‘ongoing domain cleanup.'”

The problem with the Dell customer support domain name comes as Dell customers continue to complain of being called by scammers pretending to be Dell tech support specialists. In many cases, the callers will try to make their scams sound more convincing by reading off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop.

How can scammers have all this data if Dell’s service and support system isn’t compromised, many Dell customers have asked? And still ask: I’ve had three readers quiz me about these Dell service tag scams in the past week alone. Dell continues to be silent on what may be going on with the service tag scams, and has urged Dell customers targeted by such scams to report them to the company.

It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks.

Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software and hardware. And there are indications that over a million organizations may be affected already.

Reaper isn’t attacking anyone yet. For the moment it is apparently content to gather gloom to itself from the darkest reaches of the Internet. But if history is any teacher, we are likely enjoying a period of false calm before another humbling IoT attack wave breaks.

On Oct. 19, 2017, researchers from Israeli security firm CheckPoint announced they’ve been tracking the development of a massive new IoT botnet “forming to create a cyber-storm that could take down the Internet.” CheckPoint said the malware, which it called “IoTroop,” had already infected an estimated one million organizations.

The discovery came almost a year to the day after the Internet witnessed one of the most impactful cyberattacks ever — against online infrastructure firm Dyn at the hands of “Mirai,” an IoT malware strain that first surfaced in the summer of 2016. According to CheckPoint, however, this new IoT malware strain is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”

Unlike Mirai — which wriggles into vulnerable IoT devices using factory-default or hard-coded usernames and passwords — this newest IoT threat leverages at least nine known security vulnerabilities across nearly a dozen different device makers, including AVTECH, D-Link, GoAhead, Netgear, and Linksys, among others (click each vendor’s link to view security advisories for the flaws).

Both Mirai and IoTroop are computer worms; they are built to spread automatically from one infected device to another. Researchers can’t say for certain what IoTroop will be used for but it is based at least in part on Mirai, which was made to launch distributed denial of service (DDoS) attacks.

While DDoS attacks target a single Web site or Internet host, they often result in widespread collateral Internet disruption. IoT malware spreads by scanning the Internet for other vulnerable devices, and sometimes this scanning activity is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is trying to subvert and recruit into the botnet.

However, according to research released Oct. 20 by Chinese security firm Netlab 360, the scanning performed by the new IoT malware strain (Netlab calls it the more memorable “Reaper”) is not very aggressive, and is intended to spread much more deliberately than Mirai. Netlab’s researchers say Reaper partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviors, including an evolution that allows Reaper to more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious activity on the local network.

WARNING SIGNS, AND AN EVOLUTION

Few knew or realized it at the time, but even before the Mirai attacks commenced in August 2016 there were ample warning signs that something big was brewing. Much like the seawater sometimes recedes hundreds of feet from its normal coastline just before a deadly tsunami rushes ashore, cybercriminals spent the summer of 2016 using their state-of-the-art and new Mirai malware to siphon control over poorly-secured IoT devices from other hackers who were using inferior IoT malware strains.

Mirai was designed to wrest control over systems infected with variants of an early IoT malware contagion known as “Qbot” — and it did so with gusto immediately following its injection into the Internet in late July 2016. As documented in great detail in “Who Is Anna Senpai, the Mirai Worm Author?“, the apparent authors of Mirai taunted the many Qbot botmasters in hacker forum postings, promising they had just unleashed a new digital disease that would replace all Qbot infected devices with Mirai.

Mirai’s architects were true to their word: their creation mercilessly seized control over hundreds of thousands of IoT devices, spreading the disease globally and causing total extinction of Qbot variants. Mirai had evolved, and Qbot went the way of the dinosaurs.

On Sept. 20, 2016, KrebsOnSecurity.com was hit with a monster denial-of-service attack from the botnet powered by the first known copy of Mirai. That attack, which clocked in at 620 Gbps, was almost twice the size that my DDoS mitigation firm at the time Akamai had ever mitigated before. They’d been providing my site free protection for years, but when the Mirai attackers didn’t go away and turned up the heat, Akamai said the attack on this site was causing troubles for its paying customers, and it was time to go.

Thankfully, several days later Google brought KrebsOnSecurity into the stable of journalist and activist Web sites that qualify for its Project Shield program, which offers DDoS protection to newsrooms and Web sites facing various forms of online censorship.

The same original Mirai botnet would be used to launch a huge attack — over one terabit of data per second — against French hosting firm OVH. After the media attention paid to this site’s attack and the OVH assault, the Mirai authors released the source code for their creation, spawning dozens of copycat Mirai clones that all competed for the right to infest a finite pool of vulnerable IoT devices.

Probably the largest Mirai clone to rise out of the source code spill was used in a highly disruptive attack on Oct. 20, 2016 against Internet infrastructure giant Dyn (now part of Oracle). Some of the Internet’s biggest destinations — including Twitter, SoundCloud, Spotify and Reddit — were unreachable for large chunks of time that day because Mirai targeted a critical service that Dyn provides these companies.

[AUTHOR’S NOTE: Some people believe that the Dyn attack was in retribution for information presented publicly hours before the attack by Dyn researcher Doug Madory. The talk was about research we had worked on together for a story exploring the rather sketchy history of a DDoS mitigation firm that had a talent for annexing Internet address space from its neighbors in a personal grudge match between that mitigation firm and the original Mirai authors and botmasters.]

It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at Internet pressure points. Attacks like these can cause widespread Internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless Internet users.

It’s critical to observe that Reaper may not have been built for launching DDoS attacks: A global network of millions of hacked IoT devices can be used for a variety of purposes — such as serving as a sort of distributed proxy or anonymity network — or building a pool of infected devices that can serve as jumping-off points for exploring and exploiting other devices within compromised corporate networks.

“While some technical aspects lead us to suspect a possible connection to the Mirai botnet, this is an entirely new campaign rapidly spreading throughout the globe,” CheckPoint warns. “It is too early to assess the intentions of the threat actors behind it, but it is vital to have the proper preparations and defense mechanisms in place before an attack strikes.”

AND THE GOOD NEWS IS?

There have been positive developments on the IoT security front: Two possible authors of Mirai have been identified (if not yet charged), and some of Mirai’s biggest botmasters have been arrested and sentenced.

Some of the most deadly DDoS attack-for-hire services on the Internet were either run out of business by Mirai or have been forcibly shuttered in the past year, including vDOS — one of the Internet’s longest-running attack services. The alleged providers of vDOS — two Israeli men first outed by KrebsOnSecurity after their service was massively hacked last year — were later arrested and are currently awaiting trial in Israeli for related cybercrime charges.

Using a combination of arrests and interviews, the FBI and its counterparts in Europe have made it clear that patronizing or selling DDoS-for-hire services — often known as “booters” or “stressers” — is illegal activity that can land violators in jail.

Public awareness of IoT security is on the rise, with lawmakers in Washington promising legislative action if the tech industry continues to churn out junky IoT hardware that is the Internet-equivalent of toxic waste.

Nevertheless, IoT device makers continue to ship products with either little to no security turned on by default or with ill-advised features which can be used to subvert any built-in security.

WHAT YOU CAN DO

According to Netlab, about half of the security vulnerabilities exploited by Reaper were first detailed in just the past few months, suggesting there may be a great number of unpatched and vulnerable systems in real danger from this new IoT malware strain.

Check to make sure your network isn’t part of the problem: Netlab’s advisory links to specific patches available by vendor, as well as indicators of compromise and the location of various Reaper control networks. CheckPoint’s post breaks down affected devices by version number but doesn’t appear to include links to security advisories or patches.

Please note that many of the affected devices are cameras or DVRs, but there also are quite a few consumer wired/wireless routers listed here (particularly for D-Link and Linksys devices).

One incessant problem with popular IoT devices is the inclusion of peer-to-peer (P2P) networking capability inside countless security cameras, DVRs and other gear. Jake Reynolds, a partner and consultant at Kansas City, Mo.-based Depth Security, published earlier this month research on a serious P2P weakness built into many FLIR/Lorex DVRs and security cameras that could let attackers remotely locate and gain access to vulnerable systems that otherwise are not directly connected to the Internet (FLIR’s updated advisory and patches are here).

In Feb. 2016, KrebsOnSecurity warned about a similar weakness powering the P2P component embedded in countless security cameras made by Foscam. That story noted that while the P2P component was turned on by default, disabling it in the security settings of the device did nothing to actually turn off P2P communications. Being able to do that was only possible after applying a firmware patch Foscam made available after users started complaining. My advice is to stay away from products that advertise P2P functionality.

Another reason IoT devices are ripe for exploitation by worms like Reaper and Mirai is that vendors infrequently release security updates for their firmware, and when they do there’s often no easy method available to notify users. Also, these updates are notoriously hard to do and easy to screw up, often leaving the unwary and unlearned with an oversized paperweight after a botched firmware update. So if it’s time to update your device, do it slowly and carefully.

What’s interesting about Reaper is that it is currently built to live harmoniously with Mirai. It’s not immediately clear whether the two IoT malware strains compete for any of the same devices, although some overlaps are bound to occur — particularly as the Reaper authors add new functionality and spreading mechanisms (both Netlab and Checkpoint say the Reaper code appears to be a work-in-progress).

That new Reaper functionality could well include the ability to seek out and supplant Mirai infections (much like Mirai did with Qbot), which would help Reaper to grow to even more terrifying numbers.

No matter what innovation Reaper brings, I’m hopeful that the knowledge being shared within the security community about how to defend against the Mirai attacks today will prove useful in ultimately helping to blunt any attacks from Reaper tomorrow. <Fingers crossed>

Speaking of calms before storms, KrebsOnSecurity.com soon will get its first major facelift since its inception in Dec. 2009. The changes are more structural than cosmetic; we’re striving to make the site more friendly to mobile devices, while maintaining the simple, almost minimalist look and feel of this site. I’ll make another announcement as we get closer to the switch (just so everyone doesn’t freak out and report the site’s been hacked).

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

For those interested in a deeper dive on the technical details of this attack, check out the paper (PDF) released by the researchers who discovered the bug.

KrebsOnSecurity was honored this month with the 2017 President’s Award for Public Service from the Information Systems Security Association, a nonprofit organization for cybersecurity professionals. The award recognizes an individual’s contribution to the information security profession in the area of public service.

It’s hugely gratifying to have received this award, mainly because of the company I now keep.

Past ISSA President’s Award winners include former White House cybersecurity advisers Richard A. Clarke (2003) and the late Howard Schmidt (2016); DEF CON and Black Hat founder Jeff Moss (2011); Hacking Exposed authors George Kurtz, Stuart McClure and Joel Scambray (2015); as well as Liam O’Murchu, Eric Chien, and Nicolas Falliere, the team at Symantec credited for their groundbreaking analysis of the Stuxnet Worm (2012).

“[Krebs’] analysis of the bad actors and the dark web shines a light on the criminals and their methods that attack information security,” the ISSA said in explaining the award. “The information that he exposes to the light of day makes the jobs of white hats and blue teamers easier.”

I’m very grateful to the ISSA for this award, and wish a hearty congratulations to the other ISSA 2017 award recipients.