The new Trend Micro report confirms the growing interest of hackers for IoT devices

Trend Micro has decided for a slightly different approach to write its report The Internet of Things in the Cybercrime Underground. Instead of merely analyzing the attack pattern using its sensor network, the company focused on analyzing discussions about underground hacker communities related to IoT devices and analyzing methods to monetize their attacks.

Routers are among the most targeted IoT devices

Defining routers as Internet of Things devices may seem strange, but Trend Micro researchers include them in the category, along with connected printers, video cameras and other extremely common objects in homes and offices.

Routers are also the most frequently attacked devices, which is not surprising if we take into account both the enormous diffusion and the simplicity with which they can be reached via the Internet and, often, hacked: the use of weak passwords is still widespread, both for the rotuer and for devices like surveillance cameras, a fact that makes us reflect a lot on the lack of a basic safety culture.

This happens not only in private and domestic settings, but also in the case of companies, including structures such as hospitals, where one would expect the surveillance system or printers to be protected as a minimum by a VPN, not directly exposed on the Internet.

The languages of the IoT hackers

English is always one of the most widely used languages in the underground hacker community but certainly not the only one and Trend Micro researchers have also analyzed conversations in other languages, specifically Russian, Portuguese, Arabic and Spanish.

The Russians, as expected, are among the most active and, above all, among the most dangerous, since they do not focus on the mere search for vulnerabilities but aim to monetize their skills. Mostly, their attention is focused on routers, smart meters and connected petrol pumps.

Hacked routers are often used within botnets to launch DDoS attacks (for a fee) or to undermine cryptocurrency, while for the counters according to Trend Micro, these are hacktivism operations – of rebellion against the system – aimed at saving on bills, even if there are characters that sell counters with modified firmware to indicate consumption lower than the real ones.

The discussions of the Portuguese underground

The discussions of the undergrund communities in Portuguese originate mainly from Brazil using channels such as Telegram, WhatsApp and Discord. Following the conversations, the researchers indicate the danger of these groups as medium-level as most of the discussions are related to the exchange of information on routers, cable modems and ADSL modems.

Also in this case, monetization attempts focus on the sale of botnets and KL DNS, a service sold on Brazilian forums useful for organizing phishing campaigns and, sometimes, SMS spam.

The underground communities that communicate in English

The Trend Micro report suggests that hacker communities exchanging information in English are among the least dangerous. Their members are not real criminals who see hacking as an opportunity to make money, but mostly curious people who want to exchange technical information.

Discussions focus on tutorials on violating electronic devices, routers, webcams and printers, although some attempts to sell botnet services, especially Mirai, and access codes to Nest intercoms and video cameras have been observed.

Prices? The Mirai setup is sold for $5, access to the control panel of a Mirai botnet for $ 600. The login data for NEST devices, on the other hand, range from 4 to 6 dollars.

Arab and Spanish underground communities

Also in this case Trend Micro indicates how low the dangerousness of these communities is like those in English, seem more interested in the exchange of information on hacking techniques than in monetization. The most debated topics are related to router and webcam hacking.

What does this study teach us?

Trend Micro indicates that the trend of attack on IoT devices is growing, a fact that is not surprising considering the increasingly widespread use of these devices and the simplicity with which it is often possible to violate them due to the lightness of those who configured them or protocols safety measures.

Over time, we could see an increase in monetization attempts but the real problem is not represented by these criminals, but by state-sponsored attacks, a speech that goes beyond the scope of the paper.