If you are reading this, you are back on Twitter, listening to your favorite music on Spotify, watching Netflix and you can finally breathe!
Yes, the massive DDoS attack targeting Dyn’s DNS service provider almost broke the Internet, and we are still in the aftermath.
Although the forensics analysis are still ongoing, we do know that this attack integrated at least one botnet of Internet of Things (IoT) devices.
This attack follows two large scale DDoS attacks launched in September that used the same methodology: infecting an ‘army’ of IoT devices to knock down victims’ services.
For security experts, this is no surprise, as we almost sounded like Cassandras, warning for years about the lack of security in IoT devices. Just to give a few examples: Fridges have been hacked to launch spam campaigns, a connected cars PoC hack and sabotage of brakes, medical insulin pumps vulnerable to hacking, connected toys easily hackable, etc.
How did all this happen?
Well, it all started with the Mirai malware, a malware that targets connected objects by exploiting inherent vulnerabilities, especially the fact that these systems are usually protected by factory default passwords or even hard-coded username/passwords. Once infected with malware, these devices become part of the “botnet army” reporting to a central control server. Rise of the machines indeed!
This malware uses a Busybox specific command, which causes the infection to fail if Busybox is not present. This is why the malware is specifically recruiting IoT devices for its botnets. An illustration of how vulnerable IoT devices can be: you can pull 300k bots using telnet (yes telnet :-))
For now, the botnet of Iot devices are used to launch DDoS attacks to knock down websites. As the story is still developing, we can expect that other botnets might be used for targeted data theft.
Experts noted that Mirai infected CCTV cameras, DVRs, smart TV, cellular gateways, etc. Over 1 million devices are infected & have been turned into “bots.”
[You might also like: How Friday’s Massive DDoS Attack on the U.S. Happened?]
Current info (changing regularly): most infected devices are in the U.S., followed by Brazil & Colombia.
To further complicate things, Mirai malware code was made public on Hackforums in early October, and has been seen on Github as well lately. By going open source, anyone can now make a scanner and create his army of IoT devices by infecting vulnerable IoT devices. The source code of Mirai has been copied over 1,000 times until now.
There is also another similar malware (Bashlight/Bashlite ) targeting similar IoT vulnerable devices (they already have an army of IoT devices) but not involved yet in massive attacks like what we saw the past month.
Was this preventable? Definitely, but the Internet of Things revolution did not build on the lessons learned for the IT past experience. Security best practices were not integrated in IoT innovations, mainly because in the race for innovation and shrinking time to market, security was – incorrectly- viewed as a roadblock.
The end result is many connected objects with factory default username/passwords, no encryption, no authentication for 2-way communication, using insecure port 23, etc.
Securing such connected devices in the aftermath, is much more complicated and costly. Take the example of the connected car PoC hack, companies didn’t know how to patch because no solutions were defined by design to patch remotely and millions of cars were recalled, with patching organized via dispatched USB keys.
Although this type of IoT botnet is no surprise, the repercussions are big
- Key websites and internet services were down for a number of hours
- This could and will slow down the internet (as millions of IoT devices will generate a lot of traffic and take over the bandwidth)
- Current number of infected IoT devices = 1,266,702 (figures increasing drastically!)
- With new, larger & bigger botnets, DDoS attacks are increasing exponentially in size. A year ago, we considered 300 Gbps as a large DDoS attack, at the end of 2015 600 Gbps, and now September 2016, 1Tbps!
- The malware code behind these attacks has been made public by its creator. Anyone can create his/her own army of botnets and use it for a cyber-criminal agenda
- In 2016, 5.5 million new “things” are getting connected each day, according to Gartner. 6.4 billion connected things are expected by end of 2016, reaching 20.8 billion by 2020. If all these devices are insecure by design, we can expect more sophisticated attacks targeting them, with more drastic impacts.
Key attacks recorded with IoT DDoS botnets in the past 2 months
Friday’s Dyn attack was the result of Mirai malware infected botnets (not the first attack using Mirai infected devices). It started in September by targeting the website of Krebs (a well known security guru) then OVH, a French web hosting company.
- Krebsonsecurity website (a security guru website): Attack on 20th of September, peak reached 665 Gpbs, based
- OVH attack: OVH is a French web hosting services provider. Attack launched week of September19th. Peak reached 1Tbps based on 145,000 IoT devices. Mainly CCTV, home routers, raspberry pi, DVR, etc.
- Dyn DNS (DNS services provided to websites like Amazon, Spotify, Twitter, Reddit, etc.) suffered the same type of attack on the 21st of October as reported by Flashpoint. Dyn confirmed the information and stated that over 10 million IP addresses were used to flood Dyn’s networks & traffic.
Some might ask, why are hackers using IoT botnets, and not the usual PC botnets? As you can see from the figure above, we have the potential of much larger networks, mainly insecure, easy to infect and usually always on. You turn your PC off, but a CCTV, router, fridge.. these remain on. Which makes the botnets all available for action.
What can we do about it? are we doomed?
Mirai means Future in Japanese.. a good presage of what the future will hold for us?
Cyber-attacks are here to stay. We know that sophisticated stealth attacks will increase and be an undeniable concern for all enterprises. However, some attacks, such as this one, could have been prevented, or at least their impacts lessened, if the all stakeholders adopted more security best practices.
[You might also like: Are You Ready for a New Age of Attacks?]
What can consumers do?
- It is possible to clean an IoT device by rebooting the system (remember IoT devices have volatile RAM-like memory), but the vulnerable devices will be re-infected within minutes because these botnet scans are running all the time.
- Upgrade when possible.
- Set a strong password (do not keep factory password).
- When this is not possible, disconnect from the internet & contact the vendor/manufacturer.
What should manufacturers of IoT devices do?
- Security should not be an option, but the standard way of working. Security experts, if involved in the concept & design phase, will improve security, and set appropriate control mechanisms to facilitate regular security updates & improvement. Nowadays, we cannot have hard-coded passwords or unencrypted communication. This is Security 101.
- We have seen lately connected insulin pumps with identified vulnerabilities, where the manufacturer decided not to issue any patches.
What can ISP do ?
- Need to set up protection against spoofing, as this is exactly what botnets do when they spoof users and issue large volumes of commands to flood the traffic
What can DNS service providers do?
- Improve security & protection of the services, with distributed infrastructures & smart-caching to allow local DNS Resolution, rate-limiting requests, over-provisioning machine resources, etc.
Watch out! What you see is not only what you get. Some DDoS attack methods, such as smoke-screening, are used to flood your business with the DDoS, while in parallel try to steal sensitive data. Monitor, investigate & detect such pervasive & stealth attacks.
We all need to collaborate together to secure every step of the way. As cyber-security experts, we know how hard it is to secure, protect & defend a business. We prepare for the “unknown” because we know that all cyber-attacks are not preventable.
This article first appeared on the Author’s LinkedIn page. Reprinted with permission.