Attacks/Breaches

4/5/2018
07:44 PM
50%
50%

Mirai Variant Botnet Takes Aim at Financials

In January, a botnet based on Mirai was used to attack at least three European financial institutions.

Criminals, like carpenters, hate to see a good tool go unused. It's no surprise, then, that the Mirai botnet has been in action once again, this time in concert with other botnets and with targets in the financial sector.

Insikt Group, the threat research group within Recorded Future, found that a Mirai botnet variant was used to attack a company, or companies, in the financial sector in January. And it might not have been alone; they found that it was possibly linked to the IoTroop or Reaper botnet.

Three financial companies were hit by DDoS attacks on Jan. 28: two at the same time, and the third a few hours later. On Jan. 29, ABN Amro, a Dutch bank, reported that they had been hit by a DDoS attack the previous day and that other Dutch banks had also been hit. Insikt Group says that the DNS amplification attack used against one of the first targets hit 30 Gbps - highly disruptive, but not the largest attack seen.

A Diverse Crew

According to the researchers, the botnet involved in the first company attack was 80% compromised MikroTik routers and 20% various IoT devices. Those devices range from Apache and IIS web servers to webcams, DVRs, TVs, and routers. Manufacturers of the recruited devices include companies from the very small up to Cisco and Linksys.

Irfan Saif is cyber risk services principal for Deloitte Risk and Financial Advisory. In an interview with Dark Reading he points out that the IoT devices brought into the botnets have processing, communication, and networking capabilities, so it's not surprising that they're being recruited for nefarious purposes. "It will be a continuing problem and the intricacies and complexities will continue to evolve," he says.

"There's an ever-increasing set [of IoT applications] in industries and for facilities management that will broaden the set of devices that can be taken," Saif says, adding, "The complexity of devices that can be taken will continue to increase."

The analysts at Insikt Group say that, while many of the devices used in the attacks were previously available for use in other botnets, many others were not known to be subject to existing botnet malware.

A Growing Concern

In Saif's view, as companies increase the size of the IoT network within their network perimeter, the attack surface will increase more rapidly than just the number of devices. "A company may have different ages and generations of devices," he explains. "This increases the complexity of management and broadens the threat surface that can be attacked."

A survey just published by Deloitte says that 40% of professionals admit that managing increasing amounts of data and IoT security pose the greatest cybersecurity challenges to their organization in the coming year. Saif says that there are several reasons for their concern. "They don't necessarily know the technology - it doesn't have the track record, and the tools to mitigate the risk aren't available as broadly as for the rest of IT," he says. In addition, "The skill sets aren't available as broadly, either. It doesn't surprise me that it's one of the two big challenges from the survey."

The Insikt Group has a set of suggestions for companies wanting to prevent their IoT devices from becoming part of a future botnet. Their hands-on suggestions include:

  • Always replace default manufacturer passwords immediately upon use.
  • Keep the firmware for devices current and up-to-date.
  • For IP camera and similar systems that require remote access, invest in a VPN.
  • Disable unnecessary services (e.g. Telnet) and close ports that are not required for the IoT device.

Deloitte, in the release announcing their survey results, shared strategic pointers for organizations concerned about botnets in their IoT networks.

  • Rethink the approach. Consider the end-to-end process and evaluate cyber risk at the earliest stages of innovation to drive business transformation.
  • Utilize automation, robotics and analytics to manage velocity and scale in domains such as IoT and mobile.
  • Use digital identity to manage human and machine credentials. Focus on user experience and usability to drive adoption and simplify design, mitigating cyber risk at the outset.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
neiljakson76
50%
50%
neiljakson76,
User Rank: Apprentice
4/6/2018 | 8:00:20 AM
Re: Your post
Much thanks to you for another educational site. Where else may I get that sort of information written in such a perfect. I've an undertaking that I'm just now running and I have been at the post for such data.  dissertation help
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.