Thought leadership. threat analysis, news and alerts.
Vulnerable IoT Devices Used to Carry out DDoS Attacks
A Briton man admitted in court this week that he carried out a cyber attack on Deutsche Telekom last year. He claimed that he was paid $10,000 by a competitor of the telecom company to do the job.
In November last year, Deutsche Telekom publicly acknowledged that internet access of its nearly 1 million customers was disrupted as a result of a cyber attack. “We saw attacks from the Mirai botnet that targeted customer routers globally,” Telekom Thomas Tschersich, head of IT security at Deutsche, said in a video message posted on Twitter. “The attack led to the devices crashing.”
DDoS, IoT and Botnets Explained
Distributed Denial of Service attacks (DDoS) is one of the most significant cyber threats to businesses today. In a DDoS attack, a cyber criminal infects hundreds of thousands of computers or Internet of Things (IoT) devices with a malicious software and turned them without the knowledge of their owners into “botnet”, also known as “zombie army”, that’s capable of launching powerful DDoS attacks against a particular website or email.
The attack is “distributed”, according to the United States Computer Emergency Readiness Team (US-CERT), because the attacker is using multiple computers to launch the denial of service attack.
Vulnerability of IoT Devices
IoT devices, which include webcams, routers, CCTV cameras and smart TVs, are emerging devices that are connected to one another via the internet. “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks,” US-CERT said.
According to Symantec, IoT devices are being targeted due to the following reasons:
1. Poor Security
Many of today’s IoT devices use default usernames and default passwords, making it easy for cyber criminals to infect the device with malware. In addition, the Universal Plug and Play (UPnP) – a feature that opens a port on a router to allow it to be accessible to the internet – makes it an easy target for cyber criminals.
2. Processing Power Limitations
Many IoT devices use basic operating systems. This means that a lot of these devices don’t have advanced security features. Most of these devices are simply plugged in and owners don’t bother to apply security updates.
IoT Botnets: Zombie Armies of Cyber Criminals
Cisco, in its 2017 midyear cyber security report, cited 3 common features of IoT botnets:
1. Fast and Easy Setup
The setup can be completed within an hour.
2. Rapid Distribution
Cyber criminals can have a botnet of more than 100,000 infected IoT devices in just 24 hours. This rapid distribution results in exponential growth in the size of the botnet.
3. Low Detection Rate
It’s hard to get samples of an IoT botnet as the malicious code survives in the device’s memory. Once the infected device is restarted, this botnet is wiped out.
In late 2016, IoT devices have been used by the Mirai botnet to carry out crippling DDoS attacks.
In September 2016, Mirai botnet was used to carry out a DDoS attack – the size of 665 Gbps – on the website of cyber security blogger Brian Krebs. On the same month, shortly after the attack on Krebs’ website, Mirai was used to attack the web hosting operation of the French company OVH at a bigger attack size of 1-TBps. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai.
In October last year, Mirai waged its biggest attack on DynDNS – a DNS provider that’s used by a number of major websites. The DDoS attack on DynDNS caused an outage on hundreds of popular websites including PayPal, Twitter and Spotify.
"We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet,” DynDNS said in a statement. “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
In November last year, Mirai once again tried to infect IoT devices, this time the routers of Deutsche Telekom. The telecom company said that internet access of over 900,000 customers – out of its 20 million customers – was disrupted.
“The attack attempted to infect routers with a malware [Mirai] but failed which caused crashes or restrictions for four to five percent of all routers,” the telecom company said. “This led to a restricted use of Deutsche Telekom services for affected customers.”
According to Cisco, Mirai works by connecting to an IoT device using over 60 factory default usernames and passwords. Once the device is infected, it locks itself against additional botnets. The malware then sends the compromised IP and credentials to a centralized ScanListen service. After which, the infected device then helps in harvesting new bots, producing a self-replicating pattern.
According to Imperva Incapsula, unique IP addresses which hosted Mirai-infected devices were mostly CCTV cameras. Other Mirai-compromised IoT devices included DVRs and routers. Incapsula added that IP addresses of Mirai-infected devices were seen in 164 countries, appearing even in remote locations such as Somalia, Tajikistan and Montenegro.
DDoS against Small Businesses
DDoS attacks aren’t limited to big companies. Sucuri reported about a DDoS attack that went on for days on the website of a small brick and mortar company. Similar to Mirai, the attacker uses infected CCTV cameras to launch a DDoS attack on the site of this small company. According to Sucuri, the attacker used compromised CCTV cameras from 105 countries.
How to Prevent the Spread of IoT Botnets
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices … should become the new norm,” Imperva Incapsula said.
Basic security practices to prevent the spread of IoT botnets include:
Steve E. Driz, I.S.P., ITCP