Tag Archives: mirai

DDoS attack that disrupted internet was largest of its kind in history, experts say

Dyn, the victim of last week’s denial of service attack, said it was orchestrated using a weapon called the Mirai botnet as the ‘primary source of malicious attack’ The cyber-attack that brought down much of America’s internet last week was caused by a new weapon called the Mirai botnet and was likely the largest of its kind in history, experts said. The victim was the servers of Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. It was hit on 21 October and remained under sustained assault for most of the day, bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US. The cause of the outage was a distributed denial of service (DDoS) attack, in which a network of computers infected with special malware, known as a “botnet”, are coordinated into bombarding a server with traffic until it collapses under the strain. What makes it interesting is that the attack was orchestrated using a weapon called the Mirai botnet. According to a blogpost by Dyn published on Wednesday, Mirai was the “primary source of malicious attack traffic”. Unlike other botnets, which are typically made up of computers, the Mirai botnet is largely made up of so-called “internet of things” (IoT) devices such as digital cameras and DVR players. Because it has so many internet-connected devices to choose from, attacks from Mirai are much larger than what most DDoS attacks could previously achieve. Dyn estimated that the attack had involved “100,000 malicious endpoints”, and the company, which is still investigating the attack, said there had been reports of an extraordinary attack strength of 1.2Tbps. To put that into perspective, if those reports are true, that would make the 21 October attack roughly twice as powerful as any similar attack on record. David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, said he couldn’t recall a DDoS attack even half as big as the one that hit Dyn. Mirai was also used in an attack on the information security blog Krebs on Security, run by the former Washington Post journalist Brian Krebs, in September. That one topped out at 665 Gbps. “We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it,” Fidler said. “The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible. “Imagine what a well-resourced state actor could do with insecure IOT devices,” he added. According to Joe Weiss, the managing partner at the cybersecurity firm Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, it is hard to know what Mirai could become. “A lot of these cyber-attacks start out as one particular type of attack and then they morph into something new or different,” he said. “A lot of this is modular software. “I can’t speak for anyone else,” Weiss continued. “[But] I don’t know that we really understand what the endgame is.” Source: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet

Original post:
DDoS attack that disrupted internet was largest of its kind in history, experts say

Chinese firm recalls camera products linked to massive DDOS attack

Hangzhou Xiongmai Technology is recalling earlier models of four kinds of cameras due to a security vulnerability A Chinese electronics component maker is recalling 4.3 million internet-connected camera products from the U.S. market amid claims they may have played a role in Friday’s massive internet disruption. On Monday, Hangzhou Xiongmai Technology said it was recalling earlier models of four kinds of cameras due to a security vulnerability that can make them easy to hack. “The main security problem is that users aren’t changing the device’s default passwords,” Xiongmai said in a Chinese-language statement posted online. According to security firm Flashpoint, malware known as Mirai has been exploiting the products from Xiongmai to launch massive distributed denial-of-service attacks, including Friday’s, which slowed access to many popular sites, including Netflix, PayPal, and Twitter. Companies observing Friday’s disruption said botnets powered by the Mirai malware were at least partly responsible for the attack. Xiongmai, a maker of camera modules and DVR boards, has acknowledged that its products have been a target for hackers, but it said it patched the problem with the default passwords back in April 2015. For older products, the company has come up with a firmware update to fix the flaw. To prevent the security risks, the company has still decided to recall earlier models. However, Xiongmai has also dismissed news reports that its products were largely behind Friday’s DDOS attack as untrue and is threatening legal action against those who damage its reputation. “Security vulnerabilities are a common problem for mankind,” the company said. “All industry leaders will experience them.” Experts have said the Mirai malware is probably targeting products from several vendors, in addition to Xiongmai. The malicious coding is built to try a list of more than 60 combinations of user names and passwords when infecting devices . So far, the Mirai malware has gone on to infect at least 500,000 devices, according to internet backbone provider Level 3 Communications. Source: http://www.pcworld.com/article/3133962/chinese-firm-recalls-camera-products-linked-to-massive-ddos-attack.html

Leaked Mirai source code already being tested in wild, analysis suggests

Since the source code to the Mirai Internet of Things botnet was publicly leaked on Sept. 30, researchers at Imperva have uncovered evidence of several low-level distributed denial of serviceattacks likely perpetrated by new users testing out this suddenly accessible DDoS tool. With its unusual ability to bombard targets with traffic in the form of generic routing encapsulation (GRE) data packets, Mirai was leveraged last month to launch a massive DDoS attack against Internet security researcher Brian Krebs’ blog site KrebsonSecurity. Soon after, a Hackforums user with the nickname Anna-senpai publicly posted the botnet’s source code – quite possibly a move by the malware’s original author to impede investigators from closing in on him. In a blog post this week, Imperva reported several low-level DDoS attacks taking place in the days following the leak. Consisting of low-volume application layer HTTP floods leveraging small numbers of source IPs, these attacks “looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available,” the blog post read. But Imperva also found evidence of much stronger Mirai attacks on its network prior to the leak. On Aug. 17, Imperva mitigated numerous GRE traffic surges that peaked at 280 Gbps and 130 million packets per second. Traffic from this attack originated from nearly 50,000 unique IPs in 164 countries, many of which were linked to Internet-enabled CCTV cameras, DVRs and routers – all infected by Mirai, which continuously scans the web for vulnerable devices that use default or hard-coded usernames and passwords. An Imperva analysis of the source code revealed several unique traits, including a hardcoded blacklist of IPs that the adversary did not want to attack, perhaps in order to keep a low profile. Some of these IPs belonged to the Department of Defense, the U.S. Postal Service and General Electric. Ben Herzberg, security group research manager with Imperva Incapsula, told SCMagazine.com in a phone interview that the Marai’s author may have truncated the complete blacklist before publishing it – possibly because such information could offer a clue as to the attacker’s identity. Imperva also found Mirai to be territorial in nature, using killer scripts to eliminate other worms, trojans and botnet programs that may have infiltrated the same IoT devices. Moreover, the company noted traces of Russian-language strings, which could offer a clue to the malware’s origin. Herzberg said it’s only a matter of time before Mirai’s newest users make their own modifications. “People will start playing with the code and say, ‘Hey, let’s modify this, change this,” said Herzberg. “They have a nice base to start with.” Web performance and security company Cloudflare also strongly suspects it has encountered multiple Mirai DDoS attacks, including one HTTP-based attack that peaked at 1.75 million requests per second. According to a company blog post, the assault leveraged a botnet composed of over 52,000 unique IP addresses, which bombarded the Cloudflare network – primarily its Hong Kong and Prague data centers – with a flurry of short HTTP requests designed to use up server resources and take down web applications. A second HTTP-based attack launched from close to 129,000 unique IP addresses generated fewer requests per second, but consumed up to 360Gbps of inbound HTTP traffic – an unusually high number for this brand of attack. In this instance, much of the malicious traffic was concentrated in Frankfurt. Cloudflare concluded that the attacks were launched from compromised IoT devices, including a high concentration of connected CCTV cameras running on Vietnamese networks and multiple unidentified devices operating in Ukraine. “Although the most recent attacks have mostly involved Internet-connected cameras, there’s no reason to think that they are likely the only source of future DDoS attacks,” the Imperva report warns. “As more and more devices (fridges, fitness trackers, sleep monitors…) are added to the Internet they’ll likely be unwilling participants in future attacks.” Of course, compromised IoT devices can be used for more than just DDoS attacks. Today, Akamai Technologies released a white paper warning of a new in-the-wild exploit called SSHowDowN that capitalizes on a 12-year-old IoT vulnerability. According to Akamai, cybercriminals are remotely converting millions of IoT devices into proxies that route malicious traffic to targeted websites in order to check stolen log-in credentials against them and determine where they can be used. Bad actors can also use the same exploit to check websites for SQL injection vulnerabilities, and can even launch attacks against the internal network hosting the Internet-connected device. The vulnerability, officially designated as CVE-2004-1653, affects poorly configured devices that use default passwords, including video surveillance equipment, satellite antenna equipment, networking devices and Network Attached Storage devices. It allows a remote user to create an authorized Socket Shell (SSH) tunnel and use it as a SOCKS proxy, even if the device is supposedly hardened against SSH connections. “What we’re trying to do is raise awareness,” especially among IoT vendors said Ryan Barnett, principal security research at Akamai, in an interview with SCMagazine.com. Barnett noted that when the CVE first came out, an exploit on it was “more theoretical,” but now “we want to show it is actively being used in a massive attack campaign.” Source: http://www.scmagazine.com/leaked-mirai-source-code-already-being-tested-in-wild-analysis-suggests/article/547313/

More:
Leaked Mirai source code already being tested in wild, analysis suggests