Canaan Kao, Patrick Kuo and TXOne Threat Research Team
Microsoft published a news story on April 16th, 2020 [1] where they told the story of working with Taiwan’s Ministry of Justice Investigation Bureau (MJIB) to shut down a major IoT-based cyberthreat: a botnet operating within Taiwan’s Government Service Network (GSN). On August 6th, 2019 [2] Microsoft’s Digital Crimes Unit (DCU) identified a vulnerability being used to make an illegal VPN, which was serving as cover for launching malware attacks. They informed Taiwan’s MJIB. The illegal VPN had been made to take control of a misconfigured LED light control console – a seemingly insignificant IoT device. However, based on the description given by Taiwan’s media [2], even this IoT device is a kind of industrial control system (ICS). In an IT/ICS convergence environment, there is no true air gap protection. ICS systems can be compromised, just as IT systems can be compromised, because the OSes they run are similar. Most of these ICS systems are Windows systems, and for this reason IT vulnerabilities also exist in ICS systems. This recent situation with the LED light control console shows how ICS systems can be compromised by IoT attackers and made into members of an IoT botnet.
Regarding the attack from within Taiwan GSN in 2019, the source IP address range was 117.56.0.0 – 117.56.255.255, as presented in Fig. 1. However, based on our internet threat monitoring system, recent attacks from this IP range can still be found. Fig. 2 shows a Mirai-like attack from Taiwan GSN on April 13th, 2020. A new Mirai-based BusyBox testing symbol, “CORONA”, can be found in the attack traffic. Fig. 3 presents an attack from Taiwan GSN targeting a vulnerability in Xiongmai-based devices [3]. The attacker opens a connection to the device’s TCP port 9530 and sends the string “OpenTelnet:OpenOnce” to probe the vulnerability. In the period between 2020/1/1 and 2020/04/22, there are 3,353 attack/probe events from Taiwan GSN that were recognized by our internet threat monitoring system (Fig. 4). Attacks from Taiwan GSN are diverse.
|
Fig. 1 The whois data for 117.56.*.* |
Fig. 2 The Mirai-like attack from Taiwan GSN |
Fig. 3 A vulnerability probe targeting Xiongmai-based devices from Taiwan GSN on 2020/04/16 |
Fig. 4 The attack/probe counts from Taiwan GSN |
Currently, attacks from Taiwan GSN are identified and blocked by Trend Micro and TXOne ICS/IoT reputation services, and the related DPI rules have been applied to Trend Micro and TXOne products. In this way, our customers have been protected. With an eye to the future, though, this news provides us with a hint that IT/ICS convergence is happening and that ICS may be more frequently threatened or attacked through IoT systems. Additionally, the continuous attacks coming from Taiwan GSN may imply there are some hidden or unknown issues in Taiwan GSN.
Reference
[1] Law enforcement and Microsoft come together to bust a major malware attack, https://news.microsoft.com/apac/features/law-enforcement-and-microsoft-come-together-to-bust-a-major-malware-attack-in-taiwan/
[2] 圖書館 LED 燈控制器的 IP 位址成攻擊跳板,法務部調查局與資安業者合力破獲 https://ithome.com.tw/news/137154
[3] Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras, https://habr.com/en/post/486856/
