LizardStresser IoT Botnet Part of 400Gbps DDoS Attacks

LizardStresser botnet hijacks 1,300 internet-accessible video cameras, enlisting them as pawns in 400Gbps DDoS attacks targeting Brazilian banks and several U.S. gaming firms.

LizardStresser, a distributed denial of service botnet, has found new life leveraging hundreds of internet-based webcams in attacks against Brazilian-based banks, government agencies as well as a handful of U.S.-based gaming companies.

Researchers at the Arbor’s Security Engineering and Response Team (ASERT) say publicly released source code of the LizardStresser botnet in 2015, by the Lizard Squad DDoS group, is behind the attacks. In a report released this week, ASERT says an unknown group of cybercriminals are running this latest iteration of the LizardStresser botnet via approximately 100 command-and-control servers, manipulating about 1,300 webcams and launching attacks as large as 400Gbps.

It’s unclear whose webcams are being hijacked in the attacks, but researchers say the cams that are part of this LizardStresser botnet are running either the x86, ARM or MIPS CPU architecture – all commonly used on embedded IoT devices.

An additional commonality between infected webcams is that 90 percent of the hosts had an HTML title of “NETSurveillance WEB.” Arbor Networks researchers believe that NetSurveillance Web interface generic code used by a large number of internet-accessible webcams.

“Each one of these cameras seem to also share the trait of having default configurations making simple work out of guessing usernames and passwords in order to gain telnet access to the cameras,” said Kirk Soluk, researcher with Arbor’s Security Engineering and Response Team.

The LizardStresser botnets carry out what are called telnet brute-force attacks where the hackers attempts to login to random IP addresses with a hard-coded/default list of usernames and passwords. Once the IoT device is accessed, a command-and-control server sends down the botnet code to the webcam.

Noteworthy to researchers was also the fact that the botnet is particularly robust, able to launch attacks as large as 400Gbps without any amplification.

“What’s interesting is that the attack packets do not appear to be spoofed, meaning the traffic originates from the source addresses in the packets – and no UDP-based amplification protocols such as NTP or SNMP were used,” the report reads.

When researchers extracted geolocation data from the IP addresses generating the DDoS attacks, they traced an overwhelming amount of traffic to Vietnam and Brazil. Targets of the attacks were identified as two large Brazilian banks, two Brazilian telco firms, two government agencies and three large gaming companies located in the U.S.

This is not the first time that LizardStresser botnets have been used to launch DDoS attacks from IoT devices. In January 2015 the Lizard Squad took credit for attacks that crippled both Xbox Live and the PlayStation Network (PSN) networks on Christmas day. Those attacks were launched from hacked and infected home routers.

This is also not the first time internet-accessible video cameras have been leveraged in a botnet attack. Earlier this week a much larger botnet that consisted of 25,000 internet-enabled closed circuit TV devices was spotted by researchers at Sucuri. In that case hackers utilized a different style attack called a layer 7 HTTP flood attack.

Soluk says IoT devices are becoming bigger and more attractive targets for hackers. That’s because devices often run embedded or stripped-down versions of the Linux OS that lack security features.

“In order to save engineering time, manufacturers of IOT devices sometimes re-use portions of hardware and software in different classes of devices. As a product of this software reuse, the default passwords used to initially manage the device may be shared across entirely different classes of devices,” wrote ASERT in its report.

Suggested articles