CRITICAL: Compromised IoT Report

DESCRIPTION LAST UPDATED: 2024-09-23

DEFAULT SEVERITY LEVEL: CRITICAL

This report aggregates information about compromised IoT devices detected through other means than HTTP-based scan detection. It complements our Compromised Website report. The intention is to make the data about the compromised IoT devices more accessible, rather than being spread out over multiple non-HTTP based detections, as well as to introduce additional datasets that are a result of correlations of existing datasets.

The report includes:

  • Devices compromised by the 7777 botnet (as reported by Bitsight). These events are tagged 7777. Make sure to investigate and check for any wider compromises. This data is also present in the Accessible Telnet Report.  The source_type is set to scan.
  • Data on hosts running SSH services that are known to be compromised, because they have known public malicious SSH keys installed which facilitate remote access. For more details on the issue, please read “Public SSH keys can leak your private infrastructure“. The data was obtained through collaboration with an external third party (thank you!). Data was previously made accessible through Compromised SSH Host Special Report. Reporting will now be continuous with events being reported out as we receive them. These events will be tagged ssh and the source_type set to scan.
  • Data based on hosts observed attacking our honeypots using a known Common Vulnerability and Exposure (CVE), or equivalent, when we have successfully mapped the attacking device to a vendor (as a result of our Device Identification report). These events will be tagged honeypot-http-scan, and source_type set to honeypot.

If you receive an alert from us, assume your reported device is compromised and make sure to investigate. In some cases this may mean that it is another device on your network that may be generating the actual queries (such as an infected device behind the reported public IP address of a firewall or network address translation (NAT) gateway).

You can track statistics about these reported events in our public Dashboard.

Severity levels are described here.

Filename prefix(s): compromised_iot, compromised_iot6

Fields

  • timestamp
    The timestamp when an event was observed (UTC+0)
  • severity
    Severity level
  • ip
    IP address of the affected device
  • protocol
    TCP or UDP
  • port
    TCP or UDP port identified
  • hostname
    Hostname of the affected device (may be from reverse DNS or certificate)
  • tag
    Attributes for the given event, for example telnet;7777 or honeypot-http-scan
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • naics
    North American Industry Classification System Code
  • hostname_source
    Where the hostname was taken from (may be DNS or certificate)
  • sector
    Sector of the IP in question
  • device_vendor
    Device vendor, if any
  • device_type
    Device classification (for example, router, firewall, nas, video-system etc), if any
  • device_model
    The identified device model, if any
  • device_version
    Device version, if any
  • source_type
    Source type of the event (scan or honeypot)
  • category
    Type of maliciousness the service is being used for
  • family
    Name of the malware family/type the device is compromised with/by
  • status
    Status of the affected IP, for example, compromised
  • detail
    Any additional details for contextualization
  • public_source
    Source of the data (may not be disclosed)
  • account
    Account compromised, if any. For example if there is a check made for a malicious ssh key, the account against which it is checked will be here
  • server_host_key
    Server public host key (if any)
  • malpubkey_sha256
    Threat actor public SSH key installed on server (if any)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version","source_type","category","family","status","detail","public_source","account","server_host_key","malpubkey_sha256"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,7777,node01.example.com,7777;telnet,64512,ZZ,Region,City,0,,"Communications, Service Provider, and Hosting Service",,,,,scan,,,compromised,RR,,,,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,7777,node02.example.com,7777;telnet,64512,ZZ,Region,City,0,,"Communications, Service Provider, and Hosting Service",,,,,scan,,,compromised,RR,,,,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,7777,node03.example.com,7777;telnet,64512,ZZ,Region,City,0,,"Data Processing, Hosting, and Related Services",,,,,scan,,,compromised,RR,,,,

Our 129 Report Types

« Back to Network Reporting