@inproceedings{60cc5ad3b8c24cbf8d374501ba9baefa,
title = "Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries",
abstract = "For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.",
keywords = "Dynamic Analysis, Exploits, Exposure, IoT malware, Vulnerabilities",
author = "{Al Alsadi}, {Arwa Abdulkarim} and Kaichi Sameshima and Katsunari Yoshioka and {van Eeten}, Michel and Ga{\~n}{\'a}n, {Carlos H.}",
year = "2023",
doi = "10.1145/3607199.3607241",
language = "English",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery (ACM)",
pages = "513--526",
booktitle = "Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023",
address = "United States",
note = "26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 ; Conference date: 16-10-2023 Through 18-10-2023",
}