In January, a botnet based on Mirai was used to attack at least three European financial institutions.

Criminals, like carpenters, hate to see a good tool go unused. It's no surprise, then, that the Mirai botnet has been in action once again, this time in concert with other botnets and with targets in the financial sector.

Insikt Group, the threat research group within Recorded Future, found that a Mirai botnet variant was used to attack a company, or companies, in the financial sector in January. And it might not have been alone; they found that it was possibly linked to the IoTroop or Reaper botnet.

Three financial companies were hit by DDoS attacks on Jan. 28: two at the same time, and the third a few hours later. On Jan. 29, ABN Amro, a Dutch bank, reported that they had been hit by a DDoS attack the previous day and that other Dutch banks had also been hit. Insikt Group says that the DNS amplification attack used against one of the first targets hit 30 Gbps - highly disruptive, but not the largest attack seen.

A Diverse Crew

According to the researchers, the botnet involved in the first company attack was 80% compromised MikroTik routers and 20% various IoT devices. Those devices range from Apache and IIS web servers to webcams, DVRs, TVs, and routers. Manufacturers of the recruited devices include companies from the very small up to Cisco and Linksys.

Irfan Saif is cyber risk services principal for Deloitte Risk and Financial Advisory. In an interview with Dark Reading he points out that the IoT devices brought into the botnets have processing, communication, and networking capabilities, so it's not surprising that they're being recruited for nefarious purposes. "It will be a continuing problem and the intricacies and complexities will continue to evolve," he says.

"There's an ever-increasing set [of IoT applications] in industries and for facilities management that will broaden the set of devices that can be taken," Saif says, adding, "The complexity of devices that can be taken will continue to increase."

The analysts at Insikt Group say that, while many of the devices used in the attacks were previously available for use in other botnets, many others were not known to be subject to existing botnet malware.

A Growing Concern

In Saif's view, as companies increase the size of the IoT network within their network perimeter, the attack surface will increase more rapidly than just the number of devices. "A company may have different ages and generations of devices," he explains. "This increases the complexity of management and broadens the threat surface that can be attacked."

A survey just published by Deloitte says that 40% of professionals admit that managing increasing amounts of data and IoT security pose the greatest cybersecurity challenges to their organization in the coming year. Saif says that there are several reasons for their concern. "They don't necessarily know the technology - it doesn't have the track record, and the tools to mitigate the risk aren't available as broadly as for the rest of IT," he says. In addition, "The skill sets aren't available as broadly, either. It doesn't surprise me that it's one of the two big challenges from the survey."

The Insikt Group has a set of suggestions for companies wanting to prevent their IoT devices from becoming part of a future botnet. Their hands-on suggestions include:

  • Always replace default manufacturer passwords immediately upon use.

  • Keep the firmware for devices current and up-to-date.

  • For IP camera and similar systems that require remote access, invest in a VPN.

  • Disable unnecessary services (e.g. Telnet) and close ports that are not required for the IoT device.

Deloitte, in the release announcing their survey results, shared strategic pointers for organizations concerned about botnets in their IoT networks.

  • Rethink the approach. Consider the end-to-end process and evaluate cyber risk at the earliest stages of innovation to drive business transformation.

  • Utilize automation, robotics and analytics to manage velocity and scale in domains such as IoT and mobile.

  • Use digital identity to manage human and machine credentials. Focus on user experience and usability to drive adoption and simplify design, mitigating cyber risk at the outset.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights