The Schwartz Report

Blog archive

Massive DDoS Attack Exploited IoT Vulnerabilities

It was only a matter of time before hackers would find a way to unleash a massive distributed denial-of-service (DDoS) attack by taking advantage of millions of unprotected endpoints on Internet-connected sensors and components on consumer devices such as webcams, according to security experts. Friday's botnet attack on Dyn, a major DNS provider based in Manchester, N.H., was what Chief Strategy Officer Kyle York described as what will likely to be remembered "as an historic attack," which intermittently took down sites such as PayPal, Twitter, Netflix and Amazon. It also impacted business-critical service providers including cloud-based authentication provider Okta and various providers of electronic medical record systems.

The attacker and motive for the attack are not immediately clear. But threat-assessment firm Flashpoint confirmed that the attackers unleashed botnets based on Mirai, malware that were used last month to bring down the popular Krebs on Security site run by cybersecurity expert Brian Krebs and French hosting provider OVH. Flashpoint said it wasn't immediately clear if any of the attacks were linked to each other. The attackers unleashed a 620Gpbs attack on Krebs' site, which he noted is many orders of magnitude the amount of traffic necessary to bring a site offline.

The Mirai malware targets Internet of Things (IoT) devices ranging from routers, digital video records (DVRs) and webcams from security cameras, according to a description of the attack published by Flashpoint, which also noted that a hacker going by the name of "Anna Senpai" released Mirai's source code online. Flashpoint has also confirmed that botnet was specifically compromising flaws in DVRs and webcams manufactured by XiongMai Technologies, based in China. Flashpoint researchers told Krebs all of the electronics boards infected with Mirai share the default "username: root and password xc3511." Most concerning is that "while users could change the default credentials in the devices' Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren't present." Krebs noted. XiongMai today said it is recalling millions of its devices.

Security experts have long warned that such devices and other IoT-based sensors and components are vulnerable because they are not protected. Following the attack last month on the Krebs site, security expert Bruce Schneier warned in a blog post that it validated such fears. "What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited," Schneier wrote two weeks ago. "What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own." Schneier last month suggested he had strong reason to believe these are nation-state attacks.

Morey Haber, vice president of technology at BeyondTrust, a provider of privileged identity management access software, agrees. In an interview this morning, Haber said the government should require all Internet-connected hardware including IoT sensors to have firmware that will enable passwords.

This attack could be just the tip of the iceberg, considering that only 10 percent of the Mirai nodes were actually involved in these attacks, said Dale Drew, CSO of Internet-backbone provider Level 3 Communications, in a brief video. "But we are seeing other ones involved as well," Drew said.

If that's the case, Haber said it appears someone is trying to send a message. "What would 50 or 90 percent look like if all of the bots were all turned on and used?," Haber asked. "That begs the question, was this a test, or was it a paid for hire? If it really is only 10 percent, as recorded by L3, we could be in store for something a lot larger because we haven't torn down that network yet."

Level 3's Drew advises companies that believe the attacks are impacting their sites to stay in contact with their ISPs and to use multiple DNS providers.

Posted by Jeffrey Schwartz on 10/24/2016 at 1:27 PM


comments powered by Disqus

Subscribe on YouTube