MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol that has revolutionized machine-to-machine (M2M) communication, especially in the realm of the Internet of Things (IoT). Originally developed in 1999 by Andy Stanford-Clark of IBM and Arlen Nipper of Arcom (now Eurotech), MQTT was designed to monitor oil pipelines over costly satellite links. Its efficiency in minimizing data transmission costs and conserving battery power made it indispensable for remote devices. In 2010, IBM released MQTT as a royalty-free protocol, and it has since evolved into an open OASIS and ISO standard, becoming the go-to protocol for IoT messaging. However, the very features that make MQTT so effective for legitimate applications also render it a potent tool for malicious actors.

Understanding the MQTT Messaging Model

MQTT employs a publish/subscribe architecture, which decouples message producers (publishers) from consumers (subscribers) through a central broker. This model allows for efficient and scalable communication, crucial for IoT applications where resources and bandwidth are limited.

Key Components:

• Publishers: Devices or applications that send messages to the broker.

• Subscribers: Devices or applications that receive messages from the broker based on their subscriptions to specific topics.

• Broker: A server that manages message distribution, categorizing data into topics and forwarding messages to subscribers.

• Topics: Labels used to categorize messages, allowing subscribers to receive only the information relevant to them.

How it Works

Simple Pub Sub Architecture source: researchgate.net1

1. Publishers send messages to the broker, tagged with specific topics.

2. The broker categorizes these messages by topics.

3. Subscribers subscribe to specific topics to receive relevant messages.

4. When a message is published on a subscribed topic, the broker delivers it to all subscribers interested in that topic.

Benefits of the Publish/Subscribe Model:

• Decoupling: Reduces bottlenecks and optimizes network performance by eliminating direct connections between clients and publishers.

• Efficiency: Minimizes network traffic and battery consumption by only communicating when state changes occur.

• Scalability: Supports communication between millions of devices through a central broker, ideal for large-scale IoT deployments.

• Targeted Communication: Ensures efficient data delivery by allowing subscribers to receive only the messages relevant to them.

MQTT: A Double-Edged Sword

While MQTT's efficiency and scalability are advantageous for IoT, these same characteristics can be exploited by threat actors for malicious purposes. MQTT's publish/subscribe architecture, lightweight nature, and support for Quality of Service (QoS) levels create vulnerabilities that can be harnessed for covert command-and-control (C2) communication, botnet creation, and data exfiltration.

Exploitation Techniques:

• Publish/Subscribe Architecture: Attackers can publish commands to specific topics subscribed to by compromised devices, facilitating covert C2 communication.

• Lightweight and Scalable: Allows malicious actors to create large-scale botnets with minimal resource consumption, making detection difficult.

• QoS Levels: Ensures reliable data exfiltration from compromised devices, even over unreliable networks.

• Persistent Sessions: Maintains communication with C2 servers despite temporary network disruptions, enabling continuous control.

• Bi-directional Communication: Allows for the injection of malicious code into devices from C2 servers, expanding the reach of botnets.

• Security Through Authentication and Encryption: Often inadequately implemented, with weak credentials and unencrypted connections providing entry points for unauthorized access.

Mustang Panda

Mustang Panda, also known as HoneyMyte and Bronze President, is a China-based cyberespionage group first identified by CrowdStrike in April 2017. The group targets various countries and industries, primarily focusing on political, governmental, and non-profit sectors. Mustang Panda's strategic objectives align with the interests of the Chinese government, often targeting organizations with spearphishing campaigns and exploiting legitimate tools for malicious purposes. Source2

Mustang Panda's Exploitation of MQTT:

• Early Identification: Mustang Panda was first identified targeting an unnamed U.S.-based think tank. Over time, the group expanded its reach to entities in Mongolia, Myanmar, Pakistan, and more, using unique tactics and tools like Poison Ivy and PlugX Remote Access Tools (RATs).

• Infection Vector: The attack typically begins with a spearphishing email containing a malicious zip archive. This archive includes a Windows Shortcut file (.lnk) that, when executed, deploys malware such as PlugX or Cobalt Strike.

• Use of MQTT for C2: Mustang Panda is believed to be one of the first groups to publicly use MQTT specifically for C2 communication. By leveraging MQTT, Mustang Panda can maintain persistent, covert communication with compromised devices, ensuring reliable data exfiltration and control.

MQsTTang

In early 2023, Mustang Panda introduced a new backdoor named MQsTTang, showcasing their innovative approach to using MQTT for C2 communication. This malware is part of the group's ongoing effort to explore new technology stacks and improve their operational stealth.3

MQsTTang's Exploitation of MQTT:

4 Simplified network graph of the communication between the backdoor and C&C server

• C2 Communication: MQsTTang uses MQTT to communicate with its C2 server. The malware connects to a public MQTT broker operated by EMQX, disguising its traffic as legitimate IoT communication and enhancing resilience against detection and takedown efforts.

• Message Encoding: Communication between the malware and the server involves MQTT messages with payloads encoded in a specific format: the content is base64 encoded, XORed with a hardcoded string, and base64 encoded again. This adds a layer of obfuscation to the data being exchanged.

• Tasks and Persistence: MQsTTang executes a series of tasks upon infection, including starting C2 communication, creating persistence copies, and establishing registry keys for startup execution. The malware uses unique MQTT topics for each infected client, further complicating detection efforts.

WailingCrab

WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware first observed in December 2022. Delivered primarily by the initial access broker Hive0133, WailingCrab has targeted organizations in Italy and beyond with email campaigns using themes such as overdue deliveries or shipping invoices. The malware's advanced tactics include the use of MQTT for C2 communication, leveraging the protocol's bidirectional capabilities to inject shellcode directly into compromised devices. 5

WailingCrab's Exploitation of MQTT:

• Stealth and Anti-Analysis Techniques: WailingCrab employs multiple components, including a loader, injector, downloader, and backdoor, each designed to evade detection. The latest version of this malware detected in September of 2023 has been updated to remove the need for storing payloads via discord and now soley relies on using MQTT for dropping payloads.

• Use of MQTT for C2: Since mid-2023, WailingCrab's backdoor component has used MQTT for C2 communication, employing the third-party broker broker.emqx[.]io to hide the true address of the C2 server. This tactic allows WailingCrab to blend its traffic with normal IoT traffic, evading detection by security teams. 6

• Advanced Tactics: WailingCrab's use of MQTT includes sending shellcode payloads directly from the C2 via MQTT's bidirectional communication. This method bypasses traditional download paths and executes the payload within the compromised device, further increasing the malware's stealth and effectiveness.

Mitigating MQTT Security Risks

To protect IoT deployments from MQTT exploitation, organizations must implement robust security measures. Key strategies include:

• Multi-Layered Security: Incorporate encryption, authentication, and authorization at multiple levels.

• Robust Authentication: Use X.509 certificates and centralized mechanisms like OAuth 2.0 to verify client identities.

• Granular Authorization: Define fine-grained policies on brokers, restricting access based on user roles.

• Intrusion Detection: Deploy systems to monitor network traffic for malicious MQTT activity, identifying anomalies and known malware signatures.

• Security Best Practices: Adhere to the latest MQTT security protocols and practices.

• Regular Security Audits: Conduct periodic assessments to identify and remediate vulnerabilities and misconfigurations.

To wrap up, it is crucial for organizations to have a comprehensive understanding of their IoT environments, including recognizing normal behavior patterns and maintaining detailed inventories of hardware and protocols. This foundational knowledge is essential for identifying anomalies and potential threats. Additionally, conducting comprehensive vendor risk assessments when selecting an MQTT broker platform is vital to ensure the security and reliability of the chosen service. Adopting the latest MQTT standard, MQTT 5.0, provides enhanced features and security improvements that are critical for protecting IoT ecosystems.

By implementing these robust security measures, such as multi-layered security, strong authentication, continuous monitoring, and adopting the latest standards, organizations can effectively mitigate the risks associated with MQTT. These proactive steps are essential for safeguarding IoT ecosystems against sophisticated cyber threats, including those posed by groups like Mustang Panda and WailingCrab. Adopting these strategies not only enhances security but also ensures the resilience and reliability of critical IoT deployments.

Some additinal resources on this topic

MQTT Specification

Mitre ATT&CK Mustang Panda Navigator