[SingCERT] Alert on Botnet IoT Reaper

Published on Sunday, 22 October 2017 15:10


A newly-detected cyber threat targeting internet-connected devices is reported to be spreading across the internet. The malicious malware is observed to exploit vulnerabilities in devices to take control and make them part of a massive botnet infrastructure. The threat has been reported by independent researchers from Checkpoint and Qihoo, and has been named “IOT_reaper” or “Reaper”.

The new Reaper botnet, while resembling the powerful Mirai botnet behind the Dyn DDOS attack in 2016, defers in some aspects. Unlike Mirai which propagates by connecting to devices via telnet, through weak passwords or brute-force attack on the devices’ credentials, the Reaper malware exploits known vulnerabilities in devices. This means that it will actively seek out vulnerable devices that are unpatched and infects them. It is reported to have infected nearly 2 million devices and is actively growing. As the threat continues to grow, it could cause devastating effects through DDOS attacks as seen in the Dyn incident.

Affected Systems

The following systems are currently reported to be vulnerable to the Reaper malware:


Vulnerable internet-connected devices compromised by the Reaper malware, allow the hacker to take over control of the device. This means the hacker can potentially access the content in the device, including any personal or sensitive data that is within the system (e.g. data in CCTV/IPcam’s feeds, or sensitive photos and documents in storage devices). The compromised device would also likely become part of a botnet infrastructure and may be used for all kinds of malicious or criminal activities. The malware has been observed to be evolving to include more target devices, ranging from IP-based cameras, routers, storages devices to wifi points.


Patching your vulnerable internet-connected devices is critical to ensure the security of your system or network. It helps to protect the data within and ensure that the internet-connected device does not inadvertently become part of a malicious botnet used to attack others.

SingCERT recommends taking the following steps to safeguard yourselves and in turn, the Internet:

  • Check for software updates regularly and install them: If your device is listed as affected, you should check with the respective manufacturer on the availability of firmware update to patch the security vulnerabilities.
  • Turn off remote access to your Internet-connected devices like cameras and printers when possible: Some connected devices allow others to access it from a location away from you. That may be useful for troubleshooting, but hackers will exploit that gap to enter your system or network. Check that your device allows you to block such remote access, and turn on that option.
  • Change all device passwords so you don’t have any defaults. Many devices come pre-configured with usernames and passwords such as “admin” or “password” respectively. These can easily be found by hackers and by malware like Mirai. A default password is like an unlocked door. Thus it is important for you to change the default password immediately.
  • Scan your own network for security holes. For advanced users, there are tools such as Nmap, which can help you find holes before the hackers do.