Thought leadership. threat analysis, news and alerts.
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
Reaper IoT Botnet Threatens to Take Down Websites
Reaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites.
According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said.
Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million.
IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.”
Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect.
The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure.
Reaper Botnet versus Mira Botnet
While the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors.
Here are some of the differences between Reaper and Mirai:
1. Number of Affected IoT Devices
The first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices.
2. Means of Infecting IoT Devices
Mirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices.
On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities.
According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability.
3. Botnet Capabilities
Mirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites.
"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said.
The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack.
Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches).
"As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks."
How to Block Reaper IoT Botnet
In most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks.
Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet:
1. Timely Apply Security Updates of IoT Software
Always apply in a timely manner all security updates issued by your IoT manufacturer.
2. Use Strong Password
While the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware.
3. Isolate IoT devices on their own protected networks.
4. Block traffic from unauthorized IP addresses by configuring network firewalls.
5. Turn off IoT devices when not in use.
6. When buying an IoT device, look for manufacturers that offer software updates.
Steve E. Driz