Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:55 PM
Connect Directly

'Root' & The New Age Of IoT-Based DDoS Attacks

Last Friday's massive DDoS that exploited online cameras and DVRs was simple to pull off -- and a new chapter in online attacks.

The distributed denial-of-service (DDoS) attack last Friday via an army of infected webcams, DVRs, and other systems, that crippled a large chunk of the Internet's domain name system (DNS) served as a wake-up call after years of research and warning about vulnerable consumer and embedded devices.

It also led to a rare mea culpa by a consumer networked-device manufacturer: Hangzhou Xiongmai Technology Co Ltd, the Chinese maker of electronics for some of the surveillance cameras hijacked by the so-called Mirai botnet used in the attack against DNS provider Dyn, reportedly said it will recall some of its affected products. The firm plans to ratchet up authentication as well as patch devices manufactured prior to April 2015, according to a Reuters report.

Even so, a recall is far from the solution to cleaning up the botnet pollution, especially in the Internet of Things space, security experts say.

"The trouble with hardware that has been hijacked for Mirai is that the devices are 'white label' goods, produced by an unbranded manufacturer for third-party companies," Sophos' principal research scientist Chester Wisniewski said in a blog post today. "The Chinese company that made the hijacked devices, XiongMai, almost certainly has no way of knowing which companies have rebranded and sold its insecure cameras, and thus who the end users are. That makes it pretty much impossible to recall them."

IoT devices—everything from home routers to webcams and smart fridges—are well-known easy security targets. Aside from the "white label" component issue, most of them come with default authentication and no security features. The bot-infected army of IoT devices pummeled Dyn and crippled major websites such as Okta, Pinterest, Reddit, and Twitter, last Friday and left websites either inaccessible or with slow-loading pages for some users.

But the attackers behind the DDoS, the origin of whom are still being investigated, did not have to do any sophisticated hacking to recruit their IoT devices. Finding vulnerable IoT devices wide open to the public Internet is easy.

Vikas Singla, co-founder and chief operating officer of stealth startup Securolytics, says his firm discovered that two basic factors contributed to the Mirai botnet's formation. First off, they found that some IoT devices, including webcams, routers, and DVRs, literally broadcast their model numbers and software version information when you connect to them online. "IoT devices tell you what they are … servers don't do that," notes Singla.

Securolytics, which provides scans for healthcare and financial services industry of IoT vulnerabilities in their networks, also found that IoT devices used in the Mirai botnet use just one popular IoT default credential: "root."

Mirai basically searches for telnet protocol availability, checks for default credentials, and when it finds a match, logs into those devices and uses them for DDoS'ing purposes. CCTV cameras are most often exploited by Mirai because many of these devices rely on default credentials. The botnet malware specifically controls the BusyBox software often found in IoT devices.

The Sept. 20 DDoS via Mirai on KrebsOnSecurity reached around 620 Gbps in size, which broke DDoS records in terms of power. The botnet malware's author later dumped the Mirai source code online.

Meanwhile, Dyn has confirmed that the DDoS attack came in three waves last Friday, and used tens of millions of IP addresses across different locations. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Kyle York, Dyn's chief strategy officer wrote in a post.

Dyn said the DDoS campaign began at around 7:10 am Eastern and concluded around 1:45 pm Eastern.

While all's been quiet on the Mirai DDoS front since then, security experts say this was only the beginning for IoT-based botnet attacks.

"It's going to continue to happen," says Doug Morgan, chief data scientist at Securolytics.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/8/2016 | 1:14:53 PM
GCHQ Calls Internet Providers to Rewrite Systems
Looking at the extreme end of the solution spectrum, the recent stories regarding GCHQ's call upon Internet Providers to rewrite systems to aid in preventing hacking attacks seems relevant right now.  The idea of national firewalls, national Internet silos, and entirely re-written protocols makes one wonder how bad the cybersecurity ecosystem situation really is out there.  For some of on the inside, we have a better idea but it's often still only a glimpse compared to what government agencies see.  Would these re-writes of standards, protocols and software really do well in preventing large-scale cyber attacks?  Is DDoS really the only reason to make such a call for change, or is that type of attack better made a thing of the past through less drastic changes?  If BT and Virginia Media are going to work with government cyber-defense teams to rewrite Internet standards to restrict spoofing, is this the foot in the door of a gloabl revamp of the Internet?  I know the Internet Service Providers Association (ISPA) is skeptical as they should be.  Such a move could cost trillions of dollars, millions of hours of work and be brought to the floor with a single righteous hack after it's implemented.  Measures noted in this article are alternate and logical ways to help on the small scale, but it keeps bringing into question: What do we do for the large-scale?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.