The internet is going to be flooded with attacks from new malware that targets insecure routers, IP cameras, digital video recorders, and similar vulnerable devices. In the last couple of months, malware known as “Mirai” has been using botnets to orchestrate massive DDoS attacks that have caused vast internet outages around the world. Mirai’s first casualty was the website of a computer security journalist, Brian Krebs, who writes the KrebsonSecurity blog that was attacked on September 20, 2016. Since then, it has moved on to bring down French web host OVH with a 1 Tbps attack, with the latest being multiple major DDoS attacks against the DNS provider Dyn that brought down several high-profile websites, including Amazon, Twitter, and Netflix. A majority of these Internet of Things (IoT) devices were IP cameras and digital video recorders manufactured by XiongMai Technologies. There is speculation that the remaining infected devices could contain a component by the same manufacturer.
What is Mirai?
Mirai employs IoT devices as botnets for its DDoS attacks. It continuously scans the internet for IP addresses of these IoT devices and attempts a log in using its repository of factory-default or hardcoded user names and passwords. Once it gains access to the IoT devices and infects them, they are turned into bots that report to a central control server. This server can then act as a staging ground for launching powerful DDoS attacks. Infected devices will continue to function normally but with a sudden spike in bandwidth usage. A reboot will wipe the infection but unless the login password is changed immediately, a Mirai scan will redeliver the device’s IP address and it will become compromised once again. Although a password change can prevent the malware from logging in, it becomes insufficient when Mirai uses telnet or SSH to gain access.
Gartner predicts that the number of IoT devices in households will reach 20.8 billion by 2020. There are hundreds of thousands of these devices that use default settings, as evidenced by the fact that Mirai was able to induct more than 380,000 IoT devices into its bot army. The main reasons the latest malware uses a large number of IoT devices for DDoS attacks are to avoid being traced and to take advantage of virtually unlimited bandwidth. Since traditional anti-DDoS software blocks an IP address based on its abnormal traffic pattern, making use of several IoT devices can bypass this filter. With the boundless capabilities of Mirai, researchers are curious about its future and remediation.
The next wave of Mirai
On October 3, 2016, a HackForums user with the moniker “Anna-senpai” made the Mirai code public. After this move, security analysts felt that the bots would die off over time. But new research suggests that attackers are now finding new ways to infect devices that were previously unsusceptible. The malware is evolving every day. New capabilities are being added and even more devices are being infected to generate waves of malicious traffic. Until a better solution to this problem is identified, all the IoT devices with default login passwords must be discovered using a Mirai scan and have their default passwords changed. XiongMai Technologies must patch its vulnerabilities soon and must be audited by an independent cyber-security organization. Until then, people should be made aware of the vulnerabilities of IoT devices from such vendors and pursue due diligence when opting for an IoT device.
Any IP device is going to be vulnerable and hackers are going to circumvent your security policies to infect them. This leaves any entity with only two options to stall malicious users – build more walls or rebuild broken walls faster. Enterprises should have the capability to identify attacks quickly and be able to remediate even quicker. When time is of the essence, automation can help you move faster, eliminate errors and reduce costs. So, how resilient are you?