In the months prior to the recent attacks, which used Internet of things (IoT) devices to carry out massive distributed-denial-of-service (DDoS) attacks, the ThreatLabZ research team had begun studying the use of IoT devices on the networks of Zscaler customers.
In light of their notoriously poor security, we knew that IoT devices were relatively easy to compromise, so there’s been concern over the potential to use them for spreading malware, stealing credentials, leaking data, sniffing traffic, or even moving laterally on a network to scan for sensitive data. The devices themselves can also be exploited for malicious purposes, such as spying in the case of cameras. Or, as we saw last month, creating large, destructive botnets.
We analyzed data going back to July for recent IoT device footprints based on the traffic we are seeing in the Zscaler cloud. We looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications over a two-month period (26 August 2016 to 26 October 2016). Our primary purpose was to determine if any of the devices posed a threat to customer security, and eventually we also looked at whether the devices that were used in the Dyn and KrebsOnSecurity attacks were also in use by our customers.
Finally, we analyzed IoT traffic patterns on the days of the DDoS attacks to see if there had been any unusual behavior on those days, such as spikes in bandwidth use or variations in the destination of IoT traffic.