Botnet IoT attacks rise 500% since 2020

Posted On

By Julian Durand


IoT attacks have risen 500% compared to 2020, according to research by IBM Security X-Force. What’s behind this tremendous spike? The study revealed that Mozi botnets and their method of attacking ranks number one and currently controls approximately 438,000 hosts.

Just what does a Mozi attack look like and why is it so effective? A Mozi equipped attacker will follow several steps to gain control and start exploiting data. It all begins with reconnaissance of vulnerable IoT devices and networks. Communication protocols or other attack surfaces are exploited to infiltrate the network. The goal is to then establish permanence or persistence, so the malware cannot be removed, then to propagate control across the network.  After this, sensitive data is captured and the victim’s systems are encrypted and they are locked out. At this point the victim receives a ransomware notice to unlock the system, or an extortion demand to keep sensitive data from the public.

How attackers gain control 


  • Attackers search for exploitable targets using network scanning tools. They identify targets and prioritize them
  • Gateways and routers are often targeted because they can help to identify more potential vulnerabilities


  • Software exploit kits are installed to take advantage of vulernatibites such as inadequate communication protocols and bad passwords
  • Once a vulnerability is discovered, Mozi malware is deployed


  • File systems are modified so malware cannot be deleted and Mozi maintains control
  • Communications with trusted configuration and update servers are blocked to prevent remediation efforts


  •  Gateways are appropriated to redirect traffic to ransomware sites along with distributing malware to attack all the endpoints in the network

Interception—when demands are made

  • Data is stolen, network endpoints and backups are encrypted and made inaccessible 
  • Ransom demands are sent

 Protect against Mozi

The reconnaissance stage of an attack is difficult to defend as there will always be device and network vulnerabilities. Infiltration is also difficult to protect against, as perimeter based systems are often easily exploited. The place to make a stand is at the persistence stage, where IoT devices are configured properly and reject the infiltrating code then and there to ensure it cannot spread further.

The IoT market is exploding and if we don’t enable these devices and networks to protect themselves, they will continue to be an ongoing, open ground for exploitation and business risk. According to, by the end of 2021, there will be 31 billion IoT devices worldwide, and by 2030 that number will soar to 125 billion.

So how can devices and networks operate so they resist attacks and defend against this type of malware? Let’s look at how device authenticity and data integrity are key to facing down this threat.

Maintaining device authenticity

Questions of authenticity matter when trying to establish whether a device is to be trusted or not. Is it from a known “good source?” A robust way to confirm this is through a public key infrastructure, or PKI.  Does a device exhibit a strong secret private key that encrypts the device’s digital signature? Does it possess a “public” key that corresponds to the private key stored in immutable storage on the device? For example, this key can be stored within the device’s read-only memory (ROM). As a device is powered on, the device’s authenticity and integrity are checked with this cryptographic key during the power on self test (POST).

While these sound like relatively simple steps, managing and protecting the integrity and confidentiality through public and private keys is not trivial. Cryptography specialists use trusted systems to design highly resilient and scalable infrastructures to scale and protect their integrity. Appropriate keys are assigned to devices, which require expertise in embedded programming, and embedded security architectures. Managing and securely providing key distribution and maintaining keys through the device lifecycle is a final consideration. This step must also account for device end of life, key revocation—all the while providing high availability and persistence.  

Preserving data integrity

In the same manner that devices are protected, data and the software that creates it, need to be trusted. To know that “good software” is running on a device is essential. A chain of trust that originates in unchangeable (immutable) hardware and links to every other bit of software on the device is needed—from the firmware, the operating system, middleware, protocol stacks, applications to the data that is generated.

The system-based approach to trust that Public Key Infrastructure (PKI) offers is a proven way to provide this. All the software on the device is “digitally signed,” a hash-based digital signature or fingerprint is generated on the bits that make up the software. This fingerprint is a one-way function that uniquely identifies the bits comprising the software. If even a single bit is changed, then so too is the digital signature or hash.

Unique identification and more

A unique identifier that enforces a device’s approved capabilities and permissions is also essential to providing trust. In its simplest form, it could be a unique ID that is used to reference the device on a network.

In other cases, it can contain highly governed and detailed authorization assertions. For example, an electric vehicle could be restricted to assigned charge points; or a medical drug delivery device will maintain medication thresholds.  

Breaking the botnet kill chain

With the successful and rising attacks of today’s botnets and how they compromise devices by corrupting their authenticity and data integrity, the message is clear. It is essential that we break the kill chain of malicious software agents and their actors to protect the expanding universe of IoT devices. The best countermeasure to defend against dangerous exploitation of industrial and home networks of things is to establish immutable trust. A primary way to achieve this is through a robust Public Key Infrastructure and how it uniquely assures device authenticity and data integrity.  


About Julian Durand

Julian Durand is VP of Intertrust Secure Systems and product owner of Intertrust PKI (iPKI). He earned his engineering degree from Carleton University, and his MBA from the University of Southern California (USC). He is also a Certified Information Systems Security Professional (CISSP) and inventor with 10 issued patents.