The dangers of haphazardly connecting embedded devices to the Internet have manifested themselves in mammoth distributed denial-of-service attacks, in particular one two weeks ago against security journalist Brian Krebs’ website that peaked at better than 620 Gbps.
The situation worsened over the weekend when source code for the malware that triggered the attack against Krebs On Security was made public on the Hackforums website.
Krebs reported that the Mirai malware continuously scans the Internet looking for so-called Internet of Things devices such as routers, IP-powered cameras, DVRs and more. The malware exploits those devices that rely on default, weak, or hard-coded credentials, and forces them to join giant botnets used in DDoS attacks.
A message posted by the hacker who goes by the handle Anna-senpai said the increased attention on IoT-powered botnets in the days since the Krebs DDoS attack was the impetus for releasing the source code. Anna-senpai said Mirai has allowed him to harness 380,000 bots via weak telnet connections.
“However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act,” the post reads. “Today, max pull is about 300k bots, and dropping.”
Mirai is now the second such malware family herding these IoT cats into botnets. At the end of August, Level 3 Communications disclosed research on the Bashlite malware, which the company said is responsible for compromising more than one million web-connected cameras and DVRs. Bashlite accelerated its activity quickly in July, communicating at first with a handful of bots and before long hundreds of thousands. Level 3 said 95 percent of bots were cameras and DVR, four percent home routers and the remaining devices Linux machines. Hundreds of command and control servers were used to communicate with these compromised endpoints.
IoT botnets could be the new normal very soon, experts said. Most IoT devices are difficult to manage, near impossible to update, and most are sitting ducks for attackers.
Arbor Networks said it monitored 540 Gbps DDoS attacks targeting websites and organizations associated with the Rio Summer Olympic Games. The attackers fluctuated for months before the games, and ramped up during the 16 days of competition.
“It’s not a new phenomenon. What is new is that awareness has grown in the attacker community that there are lots of devices out there shipped with bad configurations like default credentials that are easy to exploit,” said Roland Dobbins, a principal engineer at Arbor Networks. “Actually, it’s pound-for-pound more efficient sending packets in terms of bandwidth than similarly sized general-purpose computers because they don’t have a heavy UI; typically, they’re running relatively lightly.”
Not only are they lightweight, but they’re usually always on and network managers are less likely to spot excessive activity emanating from these devices, Dobbins said.
“Typically, they are unmanaged and deployed on networks where ops is not paying attention to ingress and egress traffic,” he said. “All of this comes together with the fact that there are zillions of these things. Attackers realize the can harness them into a botnet and launch high-volume attacks.”
Mirai is particularly worrisome because of its constant scanning of the Internet looking for default and built-in credentials. The best defense is changing credentials on the devices, rather than simply rebooting them because they can be quickly re-infected, Krebs reported.
The DDoS attack against the Olympics-related websites, Arbor said, were UDP packet floods against port 179, designed to mimic attacks against BGP TCP ports. Arbor also uncovered the LizardStresser IoT botnet in June, which was using more than 1,000 webcams to launch 400 Gbps DDoS attacks against banks in Brazil, government agencies and gaming companies in the U.S.
“These types of attacks have already superseded [traditional DDos attacks],” Dobbins said. “IoT botnets are not an upcoming threat. I’m not concerned about the future; I’m concerned about the past. If I could wave a magic wand, I would make it so there are no unsecured embedded devices out there. We still have a huge problem; we still have tens of millions of these devices out there.”