Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximise effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritisation, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimised prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Prevent, detect, respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
We work with the best to help you optimise performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalised technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organisations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Experience Trend's culture of innovation and world class threat intelligence
AI Pulse: Reflecting on 2024’s defining AI trends
Read more >
Redefining Defence: Mapping container security to MITRE ATT&CK
Learn more >
How the English cybercriminal underground is evolving amid new tech and increased scrutiny
Read report >
Content has been added to your Folio
IoT
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
By: Trend Micro Research Read time: ( words)
Save to Folio
We discovered an Internet-of-Things (IoT) botnet and have been continuously observing large-scale distributed denial-of-service (DDoS) attack commands sent from its command-and-control (C&C) server targeting Japan, as well as other countries around the world, since the end of 2024. These attacks targeted various companies in different countries, including multiple major Japanese corporations and banks.
Although we cannot confirm the exact relationship with the attack commands at this time, some of the organisations that were targeted reported temporary connection and network disruptions of web services during the same period. In this article, we will summarise the attack commands sent to this botnet and report the results of our analysis.
This botnet is composed of malware derived from Mirai and Bashlite (also known as Gafgyt and Lizkebab, amongst others). It infects IoT devices by exploiting remote code execution (RCE) vulnerabilities or weak initial passwords, and goes through the following stages of infection:
The executable payload (the actual malware) connects to the C&C server and waits for commands for DDoS attacks and other purposes. When a command is received, it performs the corresponding action based on its contents.
The command messages are text messages with a message length of two bytes added at the beginning, and use the following structure:
<Message Length 2 bytes>.<Text Message>
The text message portion is a string that represents the command and arguments separated by spaces (for example, a message like "syn xxx.xxx.xxx.xxx 0 0 60 1"). This command means that it will perform a SYN Flood attack for 60 seconds on a random port number (0 meaning random) of the attack target IP address indicated by xxx.xxx.xxx.xxx.
We found that the commands shown in Table 1 may be used. From the identified commands, we discovered that hosts infected with this malware may not only participate in DDoS attacks, but could also be used as part of an underground proxy service. Table 1 shows the commands that were identified through the analysis.
Table 1. Command list
The malware deactivates the watchdog timer, which prevents the device from restarting when it detects high loads during DDoS attacks. This behaviour was also observed in variants of Mirai in the past.
Note that a watchdog timer (WDT) is a programme that periodically starts on a computer system and has a timer function confirming that the system continues to function. It detects states such as the hang-up of the main programme.
The malware abuses the iptables command in Linux systems to delay the discovery of the infection and manipulate the packets used in the DDoS attacks.
During startup, the malware sets rules for iptables using the code shown in Figure 3. These rules perform the following actions:
By denying TCP connection requests from the WAN side, we believe that the intent was to prevent the infection of other botnets that exploit the same vulnerabilities used for intrusion. Allowing TCP connections from the LAN side enables the administrator to access the device’s management console, making it difficult to detect abnormalities in the device.
The malware dynamically sets the necessary iptables rules when executing commands. When the udpfwd command is executed, it sets a configuration that allows the reception of external UDP packets to the specified port. When the socket command is executed, it sets a configuration to refuse the sending of TCP RST packets.
This section discusses the results of our analysis of the IP addresses included in the commands. The following figures were all collected and aggregated between December 27, 2024, and January 4, 2025.
When checking the location of the IP addresses attack targets, we can see that the attacks include Asia, North America, South America, and Europe. Counting the number of unique IP address strings (including cases where an IP range is specified as one case), the targets are primarily concentrated in North America and Europe, with the United States at 17%, Bahrain at 10%, and Poland at 9%.
We observed differences in the types of commands used for attacks targeting Japan (which we focused on in this research) and other international targets. For international targets, we found commands such as socket and handshake that were not used in attacks against Japanese targets. Additionally, the stomp command was more frequent in attacks targeting Japan at 21%, while it was only used in 7% of the attacks targeting international targets. Conversely, the gre command was less frequent in attacks targeting Japan, but more frequent in attacks targeting international targets at 16%. Additionally, we found that two or more commands were sometimes combined and used in attacks against a single organisation.
After January 11th, we observed that socket and handshake commands targeting Japanese organisations were issued to the botnet. However, the attacks did not last long. Following that, other DDoS attacks were conducted instead. We believe that the actor behind the attacks was testing the effectiveness of these commands after these organisations took countermeasures against DDoS attacks.
For attacks targeting Japanese organisations, attempts made against the transportation, information and communication, and finance and insurance industries were confirmed. For international organisations, attacks against the information and communication industry were the most frequent at 34%, while attacks on the finance and insurance industry were approximately 8%.
While there were some commonalities, there was a significant difference in the lack of attack commands targeting the transportation industry for international targets.
We used our global threat intelligence to monitor communication with a botnet’s C&C server. As a result, we identified the IP addresses of 348 devices used in the attack. Additionally, by investigating the attributes and device vendors of these devices, we obtained the following results.
The majority of the devices used in the attack were wireless routers, accounting for 80% of the total, followed by IP cameras at 15%. In terms of vendors, TP-Link and Zyxel wireless routers accounted for 52% and 20% respectively, while Hikvision IP cameras accounted for 12%. For device distribution, India accounted for 57% and South Africa accounted for 17% of the botnet’s location.
In recent years, there has been an increase in cases where IoT devices were being exploited as a platform for cyberattacks. These devices can become infected with bot malware and be incorporated into a botnet, generating and transmitting a massive amount of traffic, either to cause damage through DDoS attacks, or used as a stepping stone for intrusion attacks on other networks. The following are some of the factors that make these devices vulnerable to attacks.
To prevent or minimise botnet expansion and impact, we recommend the following best practises to improve device security:
The DDoS attacks carried out by the IoT botnet discussed in this blog entry are divided into two types: attacks that overload the network by sending a large number of packets, and attacks that exhaust server resources by establishing a large number of sessions. In addition, we observed two or more commands used in combination, making it possible that both network overload attacks and server resource exhaustion attacks occur simultaneously.
Here are some examples of countermeasures that can be considered for each type of attack. We recommend that organisations consider implementing these suggestions, taking into account their environment and consulting with their contracted communication service provider.
In addition, other types of DDoS attacks may be carried out by other IoT botnets. For an overview and countermeasures for such DDoS attacks, please refer to the guide provided by U.S. Cybersecurity and Infrastructure Security Agency (CISA).
As seen in the recent botnet attacks, the use of infected devices can result in attacks crossing physical borders and causing significant damage to targeted countries or regions. It is essential to thoroughly implement IoT device security measures to avoid becoming an "accomplice" to such attacks. By taking proactive steps to secure IoT devices, individuals and organisations can help prevent the spread of botnets and protect against potential cyberthreats linked with these types of attacks.
The indicators of compromise for this entry can be found here.
Trend Micro Research
Trend Micro
Select a country / region
Experience our unified platform for free
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March