Vulnerabilities / Threats

10/24/2016
06:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

'Root' & The New Age Of IoT-Based DDoS Attacks

Last Friday's massive DDoS that exploited online cameras and DVRs was simple to pull off -- and a new chapter in online attacks.

The distributed denial-of-service (DDoS) attack last Friday via an army of infected webcams, DVRs, and other systems, that crippled a large chunk of the Internet's domain name system (DNS) served as a wake-up call after years of research and warning about vulnerable consumer and embedded devices.

It also led to a rare mea culpa by a consumer networked-device manufacturer: Hangzhou Xiongmai Technology Co Ltd, the Chinese maker of electronics for some of the surveillance cameras hijacked by the so-called Mirai botnet used in the attack against DNS provider Dyn, reportedly said it will recall some of its affected products. The firm plans to ratchet up authentication as well as patch devices manufactured prior to April 2015, according to a Reuters report.

Even so, a recall is far from the solution to cleaning up the botnet pollution, especially in the Internet of Things space, security experts say.

"The trouble with hardware that has been hijacked for Mirai is that the devices are 'white label' goods, produced by an unbranded manufacturer for third-party companies," Sophos' principal research scientist Chester Wisniewski said in a blog post today. "The Chinese company that made the hijacked devices, XiongMai, almost certainly has no way of knowing which companies have rebranded and sold its insecure cameras, and thus who the end users are. That makes it pretty much impossible to recall them."

IoT devices—everything from home routers to webcams and smart fridges—are well-known easy security targets. Aside from the "white label" component issue, most of them come with default authentication and no security features. The bot-infected army of IoT devices pummeled Dyn and crippled major websites such as Okta, Pinterest, Reddit, and Twitter, last Friday and left websites either inaccessible or with slow-loading pages for some users.

But the attackers behind the DDoS, the origin of whom are still being investigated, did not have to do any sophisticated hacking to recruit their IoT devices. Finding vulnerable IoT devices wide open to the public Internet is easy.

Vikas Singla, co-founder and chief operating officer of stealth startup Securolytics, says his firm discovered that two basic factors contributed to the Mirai botnet's formation. First off, they found that some IoT devices, including webcams, routers, and DVRs, literally broadcast their model numbers and software version information when you connect to them online. "IoT devices tell you what they are … servers don't do that," notes Singla.

Securolytics, which provides scans for healthcare and financial services industry of IoT vulnerabilities in their networks, also found that IoT devices used in the Mirai botnet use just one popular IoT default credential: "root."

Mirai basically searches for telnet protocol availability, checks for default credentials, and when it finds a match, logs into those devices and uses them for DDoS'ing purposes. CCTV cameras are most often exploited by Mirai because many of these devices rely on default credentials. The botnet malware specifically controls the BusyBox software often found in IoT devices.

The Sept. 20 DDoS via Mirai on KrebsOnSecurity reached around 620 Gbps in size, which broke DDoS records in terms of power. The botnet malware's author later dumped the Mirai source code online.

Meanwhile, Dyn has confirmed that the DDoS attack came in three waves last Friday, and used tens of millions of IP addresses across different locations. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Kyle York, Dyn's chief strategy officer wrote in a post.

Dyn said the DDoS campaign began at around 7:10 am Eastern and concluded around 1:45 pm Eastern.

While all's been quiet on the Mirai DDoS front since then, security experts say this was only the beginning for IoT-based botnet attacks.

"It's going to continue to happen," says Doug Morgan, chief data scientist at Securolytics.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/8/2016 | 1:14:53 PM
GCHQ Calls Internet Providers to Rewrite Systems
Looking at the extreme end of the solution spectrum, the recent stories regarding GCHQ's call upon Internet Providers to rewrite systems to aid in preventing hacking attacks seems relevant right now.  The idea of national firewalls, national Internet silos, and entirely re-written protocols makes one wonder how bad the cybersecurity ecosystem situation really is out there.  For some of on the inside, we have a better idea but it's often still only a glimpse compared to what government agencies see.  Would these re-writes of standards, protocols and software really do well in preventing large-scale cyber attacks?  Is DDoS really the only reason to make such a call for change, or is that type of attack better made a thing of the past through less drastic changes?  If BT and Virginia Media are going to work with government cyber-defense teams to rewrite Internet standards to restrict spoofing, is this the foot in the door of a gloabl revamp of the Internet?  I know the Internet Service Providers Association (ISPA) is skeptical as they should be.  Such a move could cost trillions of dollars, millions of hours of work and be brought to the floor with a single righteous hack after it's implemented.  Measures noted in this article are alternate and logical ways to help on the small scale, but it keeps bringing into question: What do we do for the large-scale?
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3988
PUBLISHED: 2018-12-10
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on the...
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.