Attacks/Breaches

4/5/2018
07:44 PM
50%
50%

Mirai Variant Botnet Takes Aim at Financials

In January, a botnet based on Mirai was used to attack at least three European financial institutions.

Criminals, like carpenters, hate to see a good tool go unused. It's no surprise, then, that the Mirai botnet has been in action once again, this time in concert with other botnets and with targets in the financial sector.

Insikt Group, the threat research group within Recorded Future, found that a Mirai botnet variant was used to attack a company, or companies, in the financial sector in January. And it might not have been alone; they found that it was possibly linked to the IoTroop or Reaper botnet.

Three financial companies were hit by DDoS attacks on Jan. 28: two at the same time, and the third a few hours later. On Jan. 29, ABN Amro, a Dutch bank, reported that they had been hit by a DDoS attack the previous day and that other Dutch banks had also been hit. Insikt Group says that the DNS amplification attack used against one of the first targets hit 30 Gbps - highly disruptive, but not the largest attack seen.

A Diverse Crew

According to the researchers, the botnet involved in the first company attack was 80% compromised MikroTik routers and 20% various IoT devices. Those devices range from Apache and IIS web servers to webcams, DVRs, TVs, and routers. Manufacturers of the recruited devices include companies from the very small up to Cisco and Linksys.

Irfan Saif is cyber risk services principal for Deloitte Risk and Financial Advisory. In an interview with Dark Reading he points out that the IoT devices brought into the botnets have processing, communication, and networking capabilities, so it's not surprising that they're being recruited for nefarious purposes. "It will be a continuing problem and the intricacies and complexities will continue to evolve," he says.

"There's an ever-increasing set [of IoT applications] in industries and for facilities management that will broaden the set of devices that can be taken," Saif says, adding, "The complexity of devices that can be taken will continue to increase."

The analysts at Insikt Group say that, while many of the devices used in the attacks were previously available for use in other botnets, many others were not known to be subject to existing botnet malware.

A Growing Concern

In Saif's view, as companies increase the size of the IoT network within their network perimeter, the attack surface will increase more rapidly than just the number of devices. "A company may have different ages and generations of devices," he explains. "This increases the complexity of management and broadens the threat surface that can be attacked."

A survey just published by Deloitte says that 40% of professionals admit that managing increasing amounts of data and IoT security pose the greatest cybersecurity challenges to their organization in the coming year. Saif says that there are several reasons for their concern. "They don't necessarily know the technology - it doesn't have the track record, and the tools to mitigate the risk aren't available as broadly as for the rest of IT," he says. In addition, "The skill sets aren't available as broadly, either. It doesn't surprise me that it's one of the two big challenges from the survey."

The Insikt Group has a set of suggestions for companies wanting to prevent their IoT devices from becoming part of a future botnet. Their hands-on suggestions include:

  • Always replace default manufacturer passwords immediately upon use.
  • Keep the firmware for devices current and up-to-date.
  • For IP camera and similar systems that require remote access, invest in a VPN.
  • Disable unnecessary services (e.g. Telnet) and close ports that are not required for the IoT device.

Deloitte, in the release announcing their survey results, shared strategic pointers for organizations concerned about botnets in their IoT networks.

  • Rethink the approach. Consider the end-to-end process and evaluate cyber risk at the earliest stages of innovation to drive business transformation.
  • Utilize automation, robotics and analytics to manage velocity and scale in domains such as IoT and mobile.
  • Use digital identity to manage human and machine credentials. Focus on user experience and usability to drive adoption and simplify design, mitigating cyber risk at the outset.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
neiljakson76
50%
50%
neiljakson76,
User Rank: Apprentice
4/6/2018 | 8:00:20 AM
Re: Your post
Much thanks to you for another educational site. Where else may I get that sort of information written in such a perfect. I've an undertaking that I'm just now running and I have been at the post for such data.  dissertation help
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...