The distributed denial of service attacks that crippled both Xbox Live and the PlayStation Network (PSN) shortly after the holidays came at the hands of a botnet largely comprised of hacked home routers.
The botnet is managed by Lizard Squad, the group of hackers that took credit for knocking the gaming networks offline on Christmas Day.
In reality the scheme – downtime and all – was more or less an advertisement for a DDoS-for-hire site, Lizard Stresser, the hackers recently launched. The “stresser” site Lizard Squad operates enables anyone who pays to knock any site or person offline. That service, security reporter Brian Krebs claims, relies on a complex series of routers around the world that have been owned by malicious code.
Assisted by a team of researchers that were already working with law enforcement, Krebs discovered the service, hosted by a dubious internet provider in Bosnia, takes advantage of poorly secured internet routers and other devices.
The attackers rely on malicious code that routinely sniffs the internet, searching for dummy devices that use factory default credentials, “admin/admin,” “admin/12345,” etc. While the botnet to this point has managed to infect mostly routers – both home and commercial routers at companies and colleges – Krebs believes that it could call on other devices soon.
“There is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras,” Krebs writes.
Lizard Squad’s DDoS-for-hire botnet is largely comprised of hacked home routersTweet
Router instability has led to a handful of vulnerabilities as of late. More than 12 million home routers were found vulnerable to a flaw researchers discovered last month called Misfortune Cookie.
While news about the vulnerability broke a week before Lizard Squad’s DDoS attack on the Xbox and PlayStation networks, Misfortune Cookie doesn’t appear to figure into the group’s attack vector. Misfortune Cookie relies on attackers sending a single packet containing a malicious HTTP cookie to exploit the flaw but it sounds as if Lizard Squad’s stresser site relies on a simpler, more rudimentary set of malicious code.
“Each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default connections.”
Hackers have boasted on Twitter the site is built on somewhere between 250,000 to 500,000 infected routers and that at one point last week it had purportedly served 900 million requests.
While police apprehended one of the hacker collective’s alleged members, 22-year-old Vinnie Omari, in the U.K. on Dec. 30, affiliates of the group have continued to carry out attacks. The group took credit for taking down both 8chan, a imageboard site, along with Krebs’ own news site, earlier this month.
Someone has been hitting off 8chan for nearly 24 hours using lots of lizardstresser[.]su attacks
— Lizard Squad (@LizardMafia) January 8, 2015
The researchers who helped uncover the botnet have apparently asked Krebs to stay anonymous and are continuing to work with authorities and internet service providers to get the botnet shutdown.
Prior to last year’s cataclysmic breach at Sony Pictures Entertainment the hacking group took credit for knocking the PSN offline for a weekend in August, ironically in hopes that the company would spend more money on its security.