Distributed Denial of Service Disasters The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier. Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted. From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks. DDoS Attack Affects U.S. College For 54 Hours A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight. Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices. “Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.” DDoS Attack Takes Down Netflix, Twitter An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things. The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data. DDoS Attack Through Vending Machines Hits University Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices. According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.” While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.” DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump. According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages. “Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website. BBC Domain Downed By By DDoS Attack On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours. While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.” Russian Banks Hit With Waves Of DDoS Attacks In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days. According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted. According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016. Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015. “A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement. According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running. Brian Krebs’ Website Experienced DDoS Attack In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps. Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post. Source: http://www.crn.com/slide-shows/internet-of-things/300084663/8-ddos-attacks-that-made-enterprises-rethink-iot-security.htm
Original post:
8 DDoS Attacks That Made Enterprises Rethink IoT Security
The Hajime malware is competing with the Mirai malware to enslave some IoT devices Mirai — a notorious malware that’s been enslaving IoT devices — has competition. A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers. “You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks. Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe. These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure. That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S. Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious. Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program. However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop. “Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.” Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts. Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev. Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done. “There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware. However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said. So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. “It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.” It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai. So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology. However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture. That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms. That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion. “There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint. To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said. That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired. “It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.” Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html