There’s an Army of Slave IoT devices Attacking the Net

Posted: October 31, 2016

Denial of service botnet - infected camera

Digital video recorders (DVRs) and IP cameras were the unlikely weapons of a global cyber-attack that brought one of the internet’s biggest players to its knees.

The distributed denial of service (DDoS) attack against US domain name server (DNS) provider Dyn occurred late last week [October 22].

It caused congestion, and service outages to many of the internet’s most popular sites including: Twitter, New York Times, BBC, Amazon, The Guardian, AirBnB, Spotify, Paypal, Netflix, and Reddit. Users couldn’t access those services, which left many wondering if the apocalypse was on the way.

What is the DNS system and why should you care?

Every website (including yours) requires a registered domain name to exist, and be found, on the internet. But computers prefer numbers over text, so your domain name gets translated to a number behind the scenes which tells a visitor’s computer where to look to find your website or app.

Big databases of those text-to-number addresses are hosted on the web by providers like Dyn, Hostgator, eHost, etc and it’s to these companies that web traffic is funnelled before arriving at your website, so that your computer knows where to go.

If these providers fall to hackers, so does your service, because suddenly web traffic can’t be directed to where your website or online software lives.

What happened?

This particular attack used freely-available malware called Mirai to scan the web looking for Internet of Things (loT) devices with weak default passwords which are easy to infect.

loT devices can be anything with direct access to the net, ranging from Smartphones, to televisions, and even fridges. Or, in this case, IP cameras and DVRS made by Chinese company Hangzhou Xiongmai Technology.

Once infected the devices become controllable robots (shortened to “bots”) which, when linked to other bots, transform into a slave botnet army which can then be used for a variety of destructive purposes like industrial espionage, vandalism, and DDoS.

But what is a DDoS attack?

A distributed denial of service attack is any attempt to take sites offline by overwhelming them with traffic from multiple sources – usually botnets – until they can no longer handle legitimate users.

Not only are they extremely frustrating for users and providers alike, they can also cause:

Loss of revenue
Brand damage and
Lost productivity

How does the malware gain access?

To make production easier, companies making new technology often create components protected by generic usernames and passwords – allowing multiple workers access during development.

This becomes problematic when said components are then on-sold and incorporated into devices with the generic usernames and passwords still intact – providing easy malware incursion points.

What does this mean to you?

According to internet backbone provider Level 3 Communications, Mirai has already spread to at least 500,000 devices connected to the internet. Although a large part of the army is a handful of models of IP Camera, your employees’ smartphones and tablets, or even your office photocopiers and televisions, could already be part of a botnet army just waiting to leap into action and cause havoc!

Make sure your devices aren’t part of the army!

What can you do to ensure that your devices don’t turn against you or others? It’s a simple fix, really

We have a piece of software that can map out your entire network, listing every node, what the manufacturer and operating system is. That allows some visibility on the makeup of your network. Then we drill down on the suspect items to ensure there are no generic passwords among them that can be compromised.

Depending upon the results of our analysis we will then tailor a network security plan that’s right for you and your business. You can rest assured this also includes vetting each loT device connected to your network!

March 2021 Update – Mirai & Botnets Continue To Thrive

In recent years, we haven’t seen too many botnet attacks of the 2016 Dyn cyber attack’s magnitude – only the defunct 3ve (pronounced “eve”) comes to mind. Nonetheless, Mirai has continued to evolve and may still threateningly loom over consumers and enterprises across the world.

Speaking of 3ve, it was a botnet network that has built a database of over one million IP addresses to generate fake ad views and clicks, thus making millions of USD in illicit revenue. 3ve was taken down in late 2018 thanks to the efforts of the FBI, Google, and 20 tech industry companies.

As of March 2021, the Mirai malware hasn’t been defeated. Furthermore, it has given birth to other families of IoT botnets over the years. Among them is Echobot – an IoT botnet based on Mirai’s source code.

Emerged in June 2019, Echobot was designed to target vulnerabilities in business tools. This is in contrast with Mirai which had primarily aimed at consumer devices. Additionally, Echobot could exploit old vulnerabilities that have been around for a decade or so but have never been properly treated.

Other updated variants of Mirai have been spotted as well. In 2018 appeared Okiru – a Mirai successor designed to attack IoT devices built on ARC processors.

In March 2019, another Mirai strain appeared, with 11 completely new exploits added on top of the arsenal of the original Mirai (making for a total of 27 exploits). This particular variant started targeting smart signage TVs and wireless presentation systems.

Internet of Things devices are still vulnerable as well. IoT security remains – to put it mildly – subpar even in enterprise environments. Given that the number of IoT connections in the world is expected to grow to more than 30 billion by 2025, organisations and consumers should start more carefully thinking about how their networks are secured.