Thought leadership. Threat analysis. Cybersecurity news and alerts.
Cybersecurity Threat Spotlight: Malicious Bots
The recent hacking incident affecting thousands of Canadian Government accounts highlights the growing threat of malicious bots.
Hacking of Thousands of Canadian Government Accounts
The Government of Canada, through the Treasury Board of Canada Secretariat, last August 15th issued a statement stating that an unidentified attacker or attackers targeted the Canadian Government's GCKey system. This system is used by 30 Canadian federal departments as a single sign-on (SSO) system for the public to access government services, such as social services including access to Covid-19 relief programs. The GCKey system is also a means to access the Canadian Revenue Agency (CRA) accounts.
According to the Treasury Board of Canada Secretariat, out of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services.
Of the total number of accounts fraudulently accessed by the attackers, approximately 5,500 CRA accounts were fraudulently accessed. This prompted authorities to shut down the CRA web portal. To date, the web portal is up and running.
In the August 15th statement, the Treasury Board of Canada Secretariat attributed the hacking incident to the cyberattack called "credential stuffing". In credential stuffing, usernames and passwords stolen from past unrelated data breaches are used to login to victims’ accounts on the assumption that people typically reused usernames and passwords across multiple online accounts.
Tests conducted by BleepingComputer showed that accessing the Canadian departments' web portals, such as CRA, multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) aren't enabled in the workflow. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.
CNN, meanwhile, reported that Canadian officials disclosed that at one point, they detected as many as 300,000 malicious attempts to access accounts on at least 24 government web portals.
In a press conference held days after the issuance of the August 15th statement of the Treasury Board of Canada Secretariat, Marc Brouillard, acting Chief Technology Officer for the Secretariat said that at one point, the CRA portal was directly targeted with a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard added that the attackers were able to bypass the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used. The acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that this security vulnerability has since been fixed by applying the latest security update.
Credential stuffing attacks and exploitation of known security vulnerabilities are executed through the use of malicious bots.
The word "bots" originates from the word " internet robots". Bots are software programs created for the purpose of automating repetitive tasks.
The repetitive task, for instance, of indexing new webpages had been taken over by bots. For its search engine, Google uses the bot known as "Googlebot" to crawl the internet to index new webpages. Googlebot is one example of a non-malicious bot.
Threat actors, on the other hand, use bots in conducting malicious activities such as credential stuffing attacks, exploitation of known security vulnerabilities, and other cyberattacks such as distributed denial-of-service (DDoS) attacks.
Malicious bots start with one " bad bot". This bad bot is used by a cybercriminal to hijack a computer. This hijacked computer is referred to as a "zombie" computer. Over a period of time, a cybercriminal could hijack thousands to millions of computers to create a network of zombie computers. These zombie computers, collectively called as "botnet", are then used to launch a large-scale malicious attack.
Necurs is an example of a botnet that wreaked havoc globally for years. This botnet was first observed in the wild in 2012. In March 2020, Microsoft said that along with partners across 35 countries, they took coordinated legal and technical steps to disrupt the operation of Necurs.
According to Microsoft, during the span of 8 years, the group behind Necurs, hijacked more than 9 million computers globally to form part of its botnet. During a 58-day period, Microsoft observed one Necurs-hijacked computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
Aside from sending spam emails, botnet can be used to amass a large list of usernames and passwords used for credential stuffing attacks and can be used to automatically scan websites for software vulnerabilities.
Cybersecurity Best Practices Against Malicious Bots
Malicious bots threaten both the target as well as the zombie computers used as part of the botnet.
In the hacking incident affecting thousands of Canadian Government accounts, compromised accounts are at risk as attackers can change bank account details and siphon money out of the victims' accounts. Being part of a botnet, on the other hand, will slow down and hasten the wear and tear process of hijacked computers.
Some of the best practices in preventing your organization's computers (including IoT devices) from being hijacked as part of a botnet include changing default login details and keeping all software up to date.
To prevent the exploitation of known security vulnerabilities, it's important to keep all of your organization's software up to date.
Here are some of the best practices in preventing or minimizing the effects of credential stuffing attacks:
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
New Mirai Variant Hijacks Enterprise Linux Servers for DDoS Attacks
Researchers at Netscout have discovered a new variant of Mirai – a malicious software (malware) once known for hijacking hundreds of thousands of Internet of Things (IoT) devices, including wireless cameras, routers and digital video recorders, to conduct powerful distributed denial-of-service (DDoS) attacks.
Instead of infecting IoT devices, researchers at Netscoutsaid that the new Mirai variant infects non-IoT devices, in particular, enterprise Linux servers running Apache Hadoop YARN, to serve as DDoS bots.
The original Mirai malware, at its peak, infected hundreds of thousands of IoT devices, controlling these infected IoT devices as botnet to conduct high-impact DDoS attacks. Botnet refers to a group of computers controlled by attackers without the knowledge and consent of the owners to conduct malicious activities, including DDoS attacks. In a DDoS attack, the botnet or controlled computers act in unison, flooding the internet connection of a target, for instance, a particular website.
The original Mirai first came to public attention when it launched a DDoS attack against the website of journalist Brian Krebson September 20, 2016. A few days after, on September 30, the source code of Mirai was publicly released on the English-language hacking community Hackforums by a user using the screen name “Anna-senpai”.
Paras Jha, 22, the person behind Anna-senpai, pleaded guilty for co-creating Mirai. According to the U. S. Department of Justice, from December 2016 to February 2017, Jha along with his 2 college-age friends Josiah White and Dalton Norman, admitted that they successfully infected more than 100,000 IoT devices, such as home internet routers, with Mirai malware and used the hijacked IoT devices to form a powerful DDoS botnet.
Since the public release of the source code of Mirai, a number of Mirai variants have been created and released into the wild. According to Netscout researchers, this latest Mirai variant “is the first time we’ve seen non-IoT Mirai in the wild”.
How the Latest Mirai Variant Works?
To deliver the latest Mirai variant, attackers exploit the security vulnerability of Apache Hadoop YARN.
Apache Hadoop is an open source software framework that enables a cluster or group of computers to communicate and work together to store and process large amounts of data in a highly distributed manner. Meanwhile, YARN, which stands for Yet Another Resource Negotiator, is a key feature of Hadoop that helps in job scheduling of various applications and resource management in the cluster.
According to Netscout researchers, the latest Mirai malware will exploit unpatched Linux servers running on Apache Hadoop YARN, and will attempt to brute-force – attacks that systematically attempt to guess the correct username and password combination – the factory default username and password of the Hadoop YARN server.
DemonBot Vs. Latest Mirai Variant
Researchers at Radwaredetected last month another malware called “DemonBot” that infects Hadoop clusters by leveraging YARN’s unauthenticated remote command execution.
The main similarity between DemonBot and the latest Mirai variant is that both malware exploit the Hadoop YARN security vulnerability in order to infect computers. Both malware programs also turn infected computers as botnet for the purpose of launching DDoS attacks.
Enterprise Linux servers running Apache Hadoop YARN infected by DemonBot and the latest Mirai variant are dangerous as these servers account for large volumes of DDoS traffic.
The main difference between DemonBot and the latest Mirai variant is that DemonBot spreads only via central servers and doesn’t expose worm-like behavior exhibited by Mirai variants. Mirai’s worm-like behavior – its ability to spread itself within networks without user interaction – makes it a more dangerous malware than DemonBot.
According to Radware researchers, as of late October, this year, attackers attempted to exploit the Hadoop YARN vulnerability to deliver the DemonBot at an aggregated rate of over 1 million per day.
Original Mirai Vs. Latest Mirai Variant
According to Netscout researchers, the latest Mira variant behaves much like the original Mirai. This means that both have worm-like behavior and enslaves infected computers for the purpose of launching DDoS attacks.
The main difference between the original Mirai and the latest Mirai variant is that while the original Mirai runs on IoT devices, the latest Mirai variant runs on Linux servers, in particular, those running Apache Hadoop YARN.
“Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots,” researchers at Netscout said. ”A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.”
According to Netscout researchers, there are tens of thousands of attempts per day to exploit the Hadoop YARN vulnerability to deliver the latest Mirai variant.
The risk of further cyberattacks is high for machines infected by malware like Mirai. To prevent attackers from hijacking your organization’s Linux servers running Apache Hadoop YARN for DDoS attacks, make sure to configure your YARN’s access control by using strong username and password combination.
Also, keep all your organization’s software up-to-date and prevent brute-force attacks by implementing an account lockout policy. For instance, after a certain number of failed login attempts, the account is locked out until an administrator unlocks it.
By leveraging the security vulnerability in enterprise Linux servers running Apache Hadoop YARN, attackers can generate much powerful DDoS attacks. Protect your organization’s online resources like websites from DDoS attacks by using an easy to use, cost-effective and comprehensive DDoS protection.
Contact us today if you need assistance in protecting your organization’s network from malware like Mirai and protecting your organization’s online resources from DDoS attacks.
Mirai Is Evolving as a DDoS Attack Tool
Mirai, the malware that nearly brought down the internet, is evolving and being refined by cybercriminals as a distributed denial of service (DDoS) attack tool.
Symantec's Principal Threat Analysis Engineer Dinesh Venkatesan recently disclosed that he uncovered multiple Mirai variants. Venkatesan said that these multiple Mirai variants are hosted in a live remote server.
Each of these Mirai variants is described to be aimed for a particular platform, making the Mirai portable across different platforms.
According to Venkatesan, one of the major obstacles encountered by script-kiddies, also known as copy/paste malware authors, is portability – the ability of a malware to run on different platforms “in a self-contained capsule without any runtime surprises or misconfiguration”.
The newly uncovered Mirai variants found an answer to the problem of portability by leveraging on the open source tool called “Aboriginal Linux”. According to the author of Aboriginal Linux, this open source tool "automatically create cross compilers and bootable system images for various targets, such as arm, mips, powerpc, and x86".
Using the Aboriginal Linux, the author or authors of the newly uncovered Mirai variants were able to develop versions of the malware tailored for a targeted platform, ranging from routers, IP cameras and even Android devices.
Symantec's Venkatesan said that the newly uncovered Mirai variants spread by scanning devices with default factory login details or known security vulnerabilities.
Original Mirai Botnet
In December last year, 21-year old Paras Jha, along with his two college-age friends Josiah White and Dalton Norman, pleaded guilty for creating the Mirai botnet.
According to the U.S. Department of Justice, in the summer and fall of 2016, Jha, White and Norman created and launched the Mirai botnet – referring to computers infected by the Mirai malware and controlled by Jha’s group without the knowledge or permission of the owners of the computers.
The U.S. Department of Justice said the trio used the Mirai botnet, which at its peak consisted of hundreds of thousands of compromised IoT devices, to launch DDoS attacks.
DDoS attacks refer to cyberattacks which use multiple computers (like the Mirai botnet), controlling these computers without the computers’ owners knowledge for the purpose of making an online service unavailable by overwhelming it with traffic.
"The defendants [Jha, White and Norman] used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers,” the U.S. Department of Justice said.
While the latest Mirai variants infect not just IoT devices but also Android devices, the computers infected by the original Mirai malware were limited to IoT devices, including routers, wireless cameras, digital video and recorders.
According to the U.S. Department of Justice, the trio’s involvement with the original Mirai ended when Jha posted the source code of Mirai on an online forum in September 2016. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
Jha’s group was able to infect hundreds of thousands of IoT devices with the Mirai malware and turned it into a botnet or zombie army for DDoS attacks by using a short list of 62 common default usernames and passwords.
In October 2016, the DDoS attack against the internet infrastructure company Dynbrought down a big part of the internet on the U.S. east coast. The DDoS attack against Dyn made the world’s top websites, such as Amazon, Twitter and Netflix, temporarily inaccessible. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement.
Other Mirai Variants
Early variants of Mirai include Satori, a Mirai variant that morphed into several versions as well. One version of Satori targets Huawei home router HG532. Satori was first observed in the wild by Check Pointresearchers in November 2017. Similar to the original Mirai, Satori has DDoS capabilities and has been reported to launch several DDoS attacks.
According to Check Point, Huawei was informed prior to the public disclosure of Satori. Before the public disclosure of Satori as well Huawei patched the vulnerability.
In May 2018, researchers at FortiGuard Labsuncovered another variant of Mirai called “Wicked”. This Mirai variant particularly infects Netgear routers and CCTV-DVR devices.
According to FortiGuard Labs, Wicked infects Netgear routers and CCTV-DVR devices by using known and available cyberexploits, many of them are old exploits. Similar to the original Mirai and other Mirai variants, Wicked can also be used for DDoS attacks.
Here are some measures in preventing attackers from turning your organization’s IoT devices into a zombie soldier for DDoS attacks:
-Change default login details into something strong and unique
-Install firmware updates in a timely manner
-When setting up Wi-Fi network access, use a strong encryption method
-Use wired connections instead of wireless connections
-Disable the following:
If your organization has an online presence, it's imperative that your organization is equipped in stopping DDoS attacks.
A successful DDoS attack against your organization’s online service negatively impacts your organization’s reputation, can cause loss of customer trust and financial losses. Prolong and unmitigated DDoS attacks can also result in permanent business closure.
Contact us today if you need assistance in securing your organization’s online services from DDoS attacks and if your organization needs assistance in securing IoT devices from being turned into zombie devices for DDoS attacks.
How Bad Internet Bots Can Hurt Your Business
Over 50% of website visitors aren’t humans. According to Imperva Incapsula, 51.8% of the website traffic in 2016 came from bots, also known as web robots, internet bots or botnets.
What is a Bot
A bot is a computer program that performs automated and repetitive tasks over the internet. Using a bot over the internet enables one to do things fast and on a grand scale.
Imperva Incapsula’s “Bot Traffic Report 2016” examined over 16.7 billion visits to 100,000 randomly-selected websites on the Incapsula network. The report showed that 48.2% of the online traffic in 2016 came from humans, while the 51.8% came from bots. Of the 51.8% bots traffic, 22.9% came from good bots and 28.9% came from bad bots.
The Good Bots
Good bots are software programs that do positive things for your site. Four types of good bots dominate the internet today. These include feed fetchers, search engines, commercial crawlers and monitoring bots.
Feed fetchers are good bots that allow website content to be shown on mobile and web applications. They comprised 12.2% of the bots that crawl the internet today.
Search engine bots refer to good bots that regularly collect information from millions of websites and index the data collected into search result pages. Examples of these search engine bots are those bots from Google, Bing and Baidu. They comprised 6.6% of the bots that crawl the internet today.
Commercial crawlers are good bots that are used for authorized data extractions – typically meant as a digital marketing tool. They comprised 2.9% of the bots that crawl the internet today.
Monitoring bots refer to good bots that monitor the availability of the website and the proper functioning of the different website features. They comprised 1.2% of the bots that crawl the internet today.
The Bad Bots
Bad bots are malicious software programs that can do damage to your site. The four types of bad bots that dominate the internet today are the impersonators, scrapers, spammers and hacker tools.
Impersonators are bad bots that assume false identities to bypass security systems. They are frequently used for Distributed Denial of Service (DDoS) attacks. They comprised 24.3% of the bots that crawl the internet today.
DDoS assaults are carried out by a botnet, referring to a group of hijacked computers – in many cases, Internet of Things (IoT) like CCTV cameras. By taking advantage of the security vulnerabilities of these internet-connected devices, cyber attackers remotely control these hijacked devices (unknown to the owners) and send huge volume of data to a victim website. In September 2016, the website of security blogger Brian Krebs was targeted by a massive DDoS attack, exceeding 620 gigabits per second (Gbps).
If your website is a victim of a DDoS attack, your legitimate human visitors won’t be able to access your website. When your legitimate visitor types your website address into a browser, he or she sends a request to the website's server to view the site. Your site’s server can only process a certain number of requests at once. So, when the DDoS attackers overload your site’s server with huge volume of requests, it can't process the massive requests, resulting in “denial of service” of your legitimate visitors.
When no one can access your website as a result of a DDoS assault, this can result in the following:
1. Revenue Loss
The average cost of downtime is $5,600 per minute, this according to an industry survey.
2. Productivity Loss
If your company is highly dependent on your web presence, a few minutes, hours or days of downtime can mean work stoppage for some of your staff.
DDoS attackers are getting sophisticated. Some DDoS assaults are used as “smokescreen” to hide the real intention, which could be to steal funds, steal customer data or steal intellectual property.
4. Reputation Damage
If your customer can’t access your website or if the DDoS attack resulted to breach of data of your customers, this can hurt your company’s brand.
Hacker tools are malicious bots that look for vulnerable websites that can be exploited for data theft and malware injection. They comprised 2.6% of the bots that crawl the internet today. An example of these hacker tools is the SQL injection.
According to the Open Web Application Security Project, “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.”
Scrapers are malicious bots used for unauthorized data extraction. These bots collect the entire database of your website, including original content and prices of the products you’re selling. They comprised 1.7% of the bots that crawl the internet today. When attackers scrape your entire website, this can result in a drop of your site’s competitive edge.
Spammers are malicious bots that inject spam links into your website, specifically into forums and comment sections. They comprised 0.3% of the bots that crawl the internet today. This type of malicious bots can cause long-term SEO damage to your website. According to Google, “If a site has been affected by a spam action, it may no longer show up in results on Google.com or on any of Google's partner sites.”
Based on Imperva Incapsula’s Bot Traffic Report 2016, every third website visitor for the last five years was an attack or malicious bot.
“Often, these assaults are the result of cybercriminals casting a wide net with automated attacks targeting thousands of domains at a time,” Imperva Incapsula said. “While these indiscriminate assaults are not nearly as dangerous as targeted attacks, they still have the potential to compromise numerous unprotected websites. Ironically, the owners of these websites tend to ignore the danger of bots the most, wrongfully thinking that their website is too ‘small’ to be attacked.”
Steve E. Driz, I.S.P., ITCP