Hangzhou Xiongmai said that it will recall millions of cameras sold in the U.S. in response to Friday’s DDoS attack against DNS provider Dyn that kept a number of web-based services such as Twitter, Github and others offline for much of the day.
The Chinese manufacturer sells OEM white-label circuit boards and software for cameras, along with DVRs and network video recorders. Many of these types of IoT devices were compromised by the Mirai malware, which exploits default credentials in the equipment and corrals them into botnets used and sold for DDoS attacks.
The company released a statement on Friday that pinned much of the blame on users for not changing default passwords on the devices, and that as of April 2015, it had already close off a telnet port also allowing access to the devices. The company also said that many of the reports since Friday linking it to the DDoS attacks are malicious and discrediting, and threatened legal action through China’s Ministry of Justice.
The company said in its statement—translated via Google—that it would recall devices sold earlier and still in use, mainly one million cards used in network cameras, one million cloud network cameras, one million panoramic network cameras and 1.3 million network cameras. It believes only devices sold before April 2015 that have not been updated, are only protected by default credentials and are exposed to the public Internet are vulnerable.
“(If) any of the above conditions are not met, Mai Xiong equipment cannot be attacked or manipulated so this attack had little impact on the actual use of male Mai device,” the company said in its statement.
Dyn, meanwhile, on Saturday said it continues to investigate the root cause of the two waves of DDoS attacks it absorbed on Friday that impacted much of the Internet on the East Coast. The first wave started around 7 a.m. Eastern time with the second commencing around noon. Dyn said the second attack was “global in nature” and was mitigated in an hour. The company said a third attack was attempted, but mitigated before customers were impacted.
Late on Friday, experts confirmed the Mirai botnet and other botnets were behind the attacks and that someone had rented part of Mirai to target Dyn’s DNS services. Dyn said tens of millions of IP addresses associated with Mirai alone were involved.
“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations,” Dyn chief strategy officer Kyle York said.
Level 3 Communications, a Colorado-based telecommunications company and ISP said the bulk of the traffic used in the DDoS attack was UDP/53 and TCP/53 with the TCP traffic consisting of TCP DNS SYN attacks, while the UDP traffic was subdomain, or prefix label attacks.
“We believe that there might be one or more additional botnets involved in these attacks. Many of the known bots seen participating in these attacks are associated with one of the primary Mirai botnet domains,” Level 3 CISO Dale Drew said. “The percentage of known-Mirai bots dips (by about half) as the second attack wave surpasses the volume of the first. A large number of new IPs began participating in the attack at that point.”
Drew speculates that the involvement of new IPs in the attack signals the use of multiple botnet networks.
“This could mean that they are renting several different botnets to launch an attack against a specific victim, in which multiple other sites have been impacted – which could result in large copycat attacks and higher victim payouts as to not be impacted in the same way,” Drew said. “It could also be a signal that the bad guy is using multiple botnets to better avoid detection since they are not orchestrating the attack from a single botnet source.”
Mirai could be a long-term menace. The source code for the malware, which was responsible for other massive DDoS attacks against Krebs on Security and French webhost OVH, was made public weeks ago and in that time, researchers have noted that the number of Mirai bots has doubled. The malware scans the Internet for connected devices, accesses them using default or known weak credentials and then compromises them.
As of Friday, Level 3 said there were up to 550,000 Mirai nodes in the botnet and about 10 percent were involved in the Dyn attack.