Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud Fan Dang1, Zhenhua Li1, Yunhao Liu1;2, Ennan Zhai3 Qi Alfred Chen4, Tianyin Xu5, Yan Chen6, Jingyu Yang7 1Tsinghua University 2Michigan State University 3Alibaba Group 4UC, Irvine 5University of Illinois Urbana-Champaign 6Northwestern University 7Tencent Anti-Virus Lab ABSTRACT have employed Linux (e.g., OpenWrt and Raspbian) for its preva- With the wide adoption, Linux-based IoT devices have emerged as lence and programmability, and such a trend has been growing one primary target of today’s cyber attacks. Traditional malware- continuously [20]; meanwhile, the number of cyber attacks against based attacks, like Mirai, can quickly spread across these devices, Linux-based IoT devices is also increasing rapidly [26]. In this paper, but they are well-understood threats with effective defense tech- we, therefore, focus on Linux-based IoT devices and the attacks niques such as malware fingerprinting coupled with community- targeting them. The Linux-based IoT attacks generally fall into two based fingerprint sharing. Recently, fileless attacks—attacks that do categories: malware-based attacks and fileless attacks. not rely on malware files—have been increasing on Linux-based IoT Threats from malware-based attacks (e.g., Mirai, PNScan, and devices, and posing significant threats to the security and privacy of Mayday) have been widely known in IoT networks. For example, IoT systems. Little has been known in terms of their characteristics global websites like GitHub and Twitter became inaccessible for and attack vectors, which hinders research and development efforts hours in Oct. 2016, since their DNS provider, Dyn, was under DDoS to defend against them. In this paper, we present our endeavor in attack by Mirai, which infected over 1.2 million IoT devices [14, 70]. understanding fileless attacks on Linux-based IoT devices in the These incidents raised high awareness of malware-based attacks wild. Over a span of twelve months, we deploy four hardware IoT on IoT systems; throughout the past few years, their characteristics honeypots and 108 specially designed software IoT honeypots, and have been extensively studied and effective defense solutions have successfully attract a wide variety of real-world IoT attacks. We been developed. For instance, the hash (e.g., MD5 or SHA-n) of present our measurement study on these attacks, with a focus on a malware’s binary file can be computed to fingerprint these IoT fileless attacks, including the prevalence, exploits, environments, malware, and such fingerprints are then shared with the commu- and impacts. Our study further leads to multi-fold insights towards nity such as through VirusTotal [41]. For a malware that has not actionable defense strategies that can be adopted by IoT vendors been fingerprinted, static and dynamic analysis can be applied to and end users. determine their malice [48]. As a result, despite the high prevalence of malware, the emerging rate of new malware (and their variants) CCS CONCEPTS is staying quite stable [23]. Fileless attacks (also known as non-malware attacks or zero- • Security and privacy → Hardware attacks and countermea- footprint attacks) on IoT devices differ from malware-based attacks sures; Mobile and wireless security. in that they do not need to download and execute malware files ACM Reference Format: to infect the victim IoT devices; instead, they take advantage of Fan Dang, Zhenhua Li, Yunhao Liu, Ennan Zhai, Qi Alfred Chen, Tianyin Xu, existing vulnerabilities on the victim devices. In the past few years, Yan Chen, and Jingyu Yang. 2019. Understanding Fileless Attacks on Linux- increasingly more fileless attacks have been reported [10, 11, 25, based IoT Devices with HoneyCloud. In MobiSys ’19: ACM International 28, 74], e.g., McAfee Labs reports that fileless attacks surged by Conference on Mobile Systems, Applications, and Services, June 17–21, 2019, 432% over 2017 [24]. Traditional servers and PCs defend against Seoul, South Korea. ACM, New York, NY, USA, 13 pages. https://doi.org/10.1 fileless attacks using sophisticated firewalls and antivirus tools[29]; 145/nnnnnnn.nnnnnnn however, these solutions are not suitable for the vast majority of IoT devices due to the limited computing and storage resources. As a 1 INTRODUCTION result, fileless attacks pose significant threats to the IoT ecosystem, Internet of Things (IoT) has quickly gained popularity across a wide given that IoT devices are often deployed in private and sensitive range of areas like industrial sensing and control [73], home au- environments, such as private residences and healthcare centers. tomation [49], etc. In particular, the majority of today’s IoT devices At the moment, there is limited visibility into their characteristics and attack vectors, which hinders research and development efforts Permission to make digital or hard copies of all or part of this work for personal or to innovate new defense to combat fileless attacks. classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM 1.1 Study Methodology (§2) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a To understand Linux-based IoT attacks in the wild, we use honey- fee. Request permissions from [email protected]. pots [67], which are known to be an effective method for captur- MobiSys ’19, June 17–21, 2019, Seoul, South Korea ing unknown network attacks. We, therefore, first set up several © 2019 Association for Computing Machinery. ACM ISBN 978-x-xxxx-xxxx-x/YY/MM...$15.00 common Linux-based IoT devices in different places as hardware https://doi.org/10.1145/nnnnnnn.nnnnnnn honeypots. Each honeypot is coupled with a Remote Control Power MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al. Adapter which can reset the honeypot when it is compromised. • Fileless attacks aggravate the threats to IoT devices by in- These offer us valuable insights into the specialties of IoT attacks. troducing stealthy reconnaissance methods and unique However, we notice that this first endeavor incurs unaffordable types of IoT attacks. On one side, we notice that 39.4% of the infrastructure and maintenance costs when deployed at scale. We, captured fileless attacks are collecting system information or therefore, attempt to explore a cheap and scalable approach to ef- performing de-immunization operations (e.g., shut down the fire- fectively capture and analyze real-world IoT attacks. wall and kill the watchdog) in order to allow more targeted and Intuitively, such an attempt can be empowered by public clouds efficient follow-up attacks. We suspect this is because fileless widely spread across the world. This seems to be a possible host for attacks are harder to fingerprint, and thus are highly suitable our quickly deploying numerous software (virtual) honeypots. Nev- for stealthy attack reconnaissance or preparations. On the other ertheless, this approach is subject to several practical issues. First, side, we find that fileless attacks can also be powerful attack the virtual honeypots should behave similarly to actual IoT devices, vectors on their own while maintaining high stealthiness. Specif- so as not to miss the relatively rare fileless attacks. Second, they ically, we capture a fileless attack in the wild that launched a should expose in-depth information of the interaction processes, targeted DDoS attack. The attack neither modifies the filesystem to facilitate our characterizing the usually hard-to-track fileless nor executes any shell commands, but can manipulate a swarm attacks. Finally, they have to conform with diverse policies imposed of IoT devices and make the attacker(s) invisible to victims. Since by different cloud providers, so that one cloud’s limitations would the only indication of such an attack is anomalous patterns of not essentially influence the coverage of our study results. To this outbound network traffic, it is highly challenging for existing end, we heavily customize the design of software honeypots by host-based defense mechanisms to detect it effectively. leveraging the insights collected from hardware honeypots, such as • IoT attacks in the wild are using various types of infor- kernel information masking, encrypted command disclosure, and mation to determine device authenticity. According to our data-flow symmetry monitoring. We carefully select eight public measurements on hardware honeypots, 9132 attacks executed clouds to disperse 108 abovementioned software honeypots, and the commands like lscpu to acquire sensitive system information. system is called HoneyCloud. These software honeypots employ In addition, with HoneyCloud we find an average of 6.7% fewer OpenWrt, which is one of the most popular Linux distributions for attacks captured by a honeypot hosted on AWS than one hosted IoT devices[3, 18] and also suitable for customization. on other public clouds, probably because AWS has disclosed all Compared to a hardware honeypot as we show in §2.2, a soft- its VM instances’ IP ranges and some malware like Mirai does ware honeypot attracts 37% fewer suspicious connections and 39% not infect (in fact intentionally bypasses) specific IP ranges [43]. fewer attacks on average. On the other hand, the average monthly These insights are then leveraged to improve the design and maintenance fee of a software honeypot (∼6 US dollars) is 12.5× deployment of HoneyCloud in fidelity and effectiveness. less than that of a hardware honeypot (∼75 US dollars). More impor- • We discover new security challenges posed by fileless at- tantly, all the types of attacks captured by our hardware honeypots tacks and propose new defense directions. While leaving have also been captured by HoneyCloud (but not vice versa).