Attacks/Breaches

4/5/2018
07:44 PM
50%
50%

Mirai Variant Botnet Takes Aim at Financials

In January, a botnet based on Mirai was used to attack at least three European financial institutions.

Criminals, like carpenters, hate to see a good tool go unused. It's no surprise, then, that the Mirai botnet has been in action once again, this time in concert with other botnets and with targets in the financial sector.

Insikt Group, the threat research group within Recorded Future, found that a Mirai botnet variant was used to attack a company, or companies, in the financial sector in January. And it might not have been alone; they found that it was possibly linked to the IoTroop or Reaper botnet.

Three financial companies were hit by DDoS attacks on Jan. 28: two at the same time, and the third a few hours later. On Jan. 29, ABN Amro, a Dutch bank, reported that they had been hit by a DDoS attack the previous day and that other Dutch banks had also been hit. Insikt Group says that the DNS amplification attack used against one of the first targets hit 30 Gbps - highly disruptive, but not the largest attack seen.

A Diverse Crew

According to the researchers, the botnet involved in the first company attack was 80% compromised MikroTik routers and 20% various IoT devices. Those devices range from Apache and IIS web servers to webcams, DVRs, TVs, and routers. Manufacturers of the recruited devices include companies from the very small up to Cisco and Linksys.

Irfan Saif is cyber risk services principal for Deloitte Risk and Financial Advisory. In an interview with Dark Reading he points out that the IoT devices brought into the botnets have processing, communication, and networking capabilities, so it's not surprising that they're being recruited for nefarious purposes. "It will be a continuing problem and the intricacies and complexities will continue to evolve," he says.

"There's an ever-increasing set [of IoT applications] in industries and for facilities management that will broaden the set of devices that can be taken," Saif says, adding, "The complexity of devices that can be taken will continue to increase."

The analysts at Insikt Group say that, while many of the devices used in the attacks were previously available for use in other botnets, many others were not known to be subject to existing botnet malware.

A Growing Concern

In Saif's view, as companies increase the size of the IoT network within their network perimeter, the attack surface will increase more rapidly than just the number of devices. "A company may have different ages and generations of devices," he explains. "This increases the complexity of management and broadens the threat surface that can be attacked."

A survey just published by Deloitte says that 40% of professionals admit that managing increasing amounts of data and IoT security pose the greatest cybersecurity challenges to their organization in the coming year. Saif says that there are several reasons for their concern. "They don't necessarily know the technology - it doesn't have the track record, and the tools to mitigate the risk aren't available as broadly as for the rest of IT," he says. In addition, "The skill sets aren't available as broadly, either. It doesn't surprise me that it's one of the two big challenges from the survey."

The Insikt Group has a set of suggestions for companies wanting to prevent their IoT devices from becoming part of a future botnet. Their hands-on suggestions include:

  • Always replace default manufacturer passwords immediately upon use.
  • Keep the firmware for devices current and up-to-date.
  • For IP camera and similar systems that require remote access, invest in a VPN.
  • Disable unnecessary services (e.g. Telnet) and close ports that are not required for the IoT device.

Deloitte, in the release announcing their survey results, shared strategic pointers for organizations concerned about botnets in their IoT networks.

  • Rethink the approach. Consider the end-to-end process and evaluate cyber risk at the earliest stages of innovation to drive business transformation.
  • Utilize automation, robotics and analytics to manage velocity and scale in domains such as IoT and mobile.
  • Use digital identity to manage human and machine credentials. Focus on user experience and usability to drive adoption and simplify design, mitigating cyber risk at the outset.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
neiljakson76
50%
50%
neiljakson76,
User Rank: Apprentice
4/6/2018 | 8:00:20 AM
Re: Your post
Much thanks to you for another educational site. Where else may I get that sort of information written in such a perfect. I've an undertaking that I'm just now running and I have been at the post for such data.  dissertation help
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17283
PUBLISHED: 2018-09-21
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Inject...
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.