Monday, November 14, 2016

Mirai or Mirage? The True Story Behind the DDOS Attack.

The true story behind the October 20th massive DDOS attack on the IoT

It was a Test and a Distraction, just as planned.


Yes, the latest DDOS attack was a test.  It was a test of capabilities, wits and the weaponization of US ProTech has spent years in the field of Cyber and related wargames and this use of targeted IP based devices was in one manor simple, which is also why it was successful.  This attack, while seemingly massive, is nothing short of a distraction where you get to see what one hand is doing, while the other magically hides another quarter behind a child’s ear.  Imagine the chaos this attack created, now imagine how it what likely used to hide its real purpose.  US ProTech and the Cyber community will quickly be searching for clues… and will likely find all the usual suspects.  Other firms such as Flashpoint traced Friday’s widespread internet outage to the IoT, according to another industry expert, Brian Krebs.
malware.  It was a test in America’s ability to respond and deal with this ever growing threat, a reality which is sure to be us for a very long time.

Consequently, the cyber-attacks which affected popular websites from Twitter to Reddit are the result of malware called “Mirai”, which manipulated smart technology to take the sites offline. The malware used vulnerable technology to launch a Distributed Denial of Service attack, overwhelming the web service DYN with traffic resulting in slow Internet speeds and offline sites.  You’re going to ask questions so here are 5 things you need to know about ‘Mirai’:

1. IoT Botnet ‘Mirai’ Targets Vulnerable ‘Smart’ IoT Technology and Turns Them into ‘Bots’

Like a parasite, ‘Mirai’ will use a host to launch cyber-attacks. The botnet scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, according to Kreb’s blog KrebsOnSecurity. Botnets can exploit weak security measures such as standard password and username combination (eg admin, 1111) across devices. These systems are infected with malware, which directs them to a central control system, where they are prepared to launch an attack to take websites offline. Here is a list of the services that were down.

According to HackRead, ‘Mirai’ can break into a wide range of IoT devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots’. There are nearly half a million Mirai-powered bots worldwide, according to telecommunications company and internet service provider (ISP) Level 3 Communications. Here are the countries with the highest concentrations of IoT devices:

United States: 29 percent
Brazil: 23 percent
Colombia: 8 percent

2. ‘Mirai’ Took Out Amazon, Spotify, Twitter and More Websites in a DDOS Attack

The morning of October 21 saw widespread internet outages caused by a massive DDOS attack, which overwhelmed the web service with traffic. Krebs reported that cybersecurity firm Flashpoint traced the hack to Mirai. The journalist’s own website, krebsonsecurity.com, was taken down by Mirai-powered DDOS attack. The cyber-attack on Friday targeted Internet traffic company DYN, which provides services for websites like Amazon, Spotify and Twitter. Other botnets may have been behind the attack reports Politico’s cybersecurity reporter Eric Geller.

In an interview with CNBC, DYN said that the attacks were “well planned and executed, coming from tens of millions IP addresses at same time.” The Department of Homeland Security and White House are also looking into the attack. NBC News reports that one official ruled out North Korea as a suspect.

3. ‘Mirai’s Author Has an Avi of Anime Character Anna Nishikinomiya and Mirai Means “Future” in Japanese

The person who created the botnet is nicknamed ‘Anna-Senpai’ and has an avi of the anime figure Anna Nishikinomiya. Anna appears in the Japanese novel series Shimoseka, which is set in a dystopian future filled with morality police.

As the student council president of a prominent ‘morality school’ Anna is the enforcer of public morality laws according to MyAnimeList. The word ‘Mirai’ also has Japanese origins meaning ‘future’ in Japanese. A manga series called ‘Future Diary’ also describes a dystopian society modeled after the battle royale (think Hunger Games) where each contestant has a diary with notes written from the future.

‘Mirai’ is also part of a family of malware that infects IoT devices through default usernames and passwords. The other malware that has been used to create an IoT device army is called “Bashlight”. While these two strains of malware compete with each other, research from Level 3 suggests that they target some of the same devices. Currently, “Bashlight” is creating an army of a million IoT devices.

“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer told KrebsOnSecurity.

4. You Can Wipe Off the Malware from an IoT System but Recurrence is Likely

It’s possible to clean an IoT system infected by ‘Mirai’, but the botnet scans systems so often that there’s a high chance of recurrence. You can destroy the malicious code by rebooting the computer, but experts warn that vulnerable IoT devices can be re-infected in minutes.
This is bad news for cybersecurity as the IoT devices market heats up as people buy into the smart, automated systems. Gartner Inc. projects connected devices to rise to 6.4 billion worldwide in 2016 with almost 5.5 million devices being connected daily.

Telecommunications company Level 3 advised users to upgrade devices and set strong passwords, according to the Wall Street Journal. For a more sustainable solution to DDOS attacks, Krebs says ISPs will need to protect their networks from spoofing, where the attacker sends messages as the victim website and generates a huge amount of traffic. He added that the lack of these safeguards could lead to online censorship.

5. Source Code for ‘Mirai’ Botnet was Released Publicly Which Opens the Door for Future Botnet Attacks

After weathering an attack from the ‘Mirai’ botnet, KrebsOnSecurity reported that the code that powers ‘Mirai’ was made publicly available on HackForums. The hacking community has access to information they can use to infect millions of smart devices. The source code for the scanner is also located on Github and has been copied at least 700 times as of this posting.

So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.

Special thanks to Edward Cox of Heavy and assistance in the compilation of data.

About US ProTech:
Intelli-Flex partner, US ProTech offers clients Certified Technical Security Engineers with a wide background of specialization including experts from every branch of the United States military.  Their vulnerability assessment process has been independently evaluated, tested and has received U.S. Government (USGCB) Configuration Baseline validation by the U.S. Dept. of Commerce; it exceeds NIST High-Impact (military-grade) standards and is SCAP Approved.

As a result of it US Government Approved process, US ProTech offers a broad range of award winning cyber-security assessment and management services and today holds significant contracts throughout America, Canada, Mexico and Western Europe.  “We maintain a focus on clients who seek demonstrable cyber-security and business process improvement”, says Goetsch “We have saved our clients hundreds of millions of dollars in Cyber-Liabilities and do so with an expert staff and a proprietary set of tools.”

1 comment:

  1. Tools and Services are available to monitor, detect, prevent and isolate the activities that this disruptive attack caused. Please contact US ProTech if you would like more information at: www.USProTech.com

    ReplyDelete