I remember October 21, 2016, reasonably well, because as I sat down at my computer in order to catch up with friends on Twitter, read the latest news from my favorite blogs (Krebs on Security, Rapid7, and Radware) find some good tunes on Spotify, then begin a new project for a new client. It was not long before it was readily apparent there was something terribly wrong.
There was an attack underway.
Later, I learned about the attack which targeted IoT enabled networked devices. Particularly those running Linux and using default credentials including the notorious ‘admin/admin’ and ‘username/password’ and turning them into remotely controlled bots that were used as part of a botnet in a large-scale coordinated Distributed Denial of Service or DDoS network attack.
A malware named the Mirai botnet infected and took control of an estimated 100,000 IoT connected devices in order to flood the Domain Name Service (DNS) DYN with multitudes of malicious lookup requests, thus disrupting well-known and heavily trafficked websites across North America and Western Europe including (Partial List)
- The Swedish Government
An attack on the DNS infrastructure can be devastating.
The DNS infrastructure is the backbone of the internet, and it is irreplaceable. Fundamentally, DNS serves as the internet’s phone book. To simplify it even further: No DNS? No web, email, video, VoIP or any other online services.
An unpatchable nightmare is developing.
A startlingly amount of IoT devices come into the market furnished with pre-set default passwords that are very well-known to criminals, difficult to change and nearly impossible to patch.
Although industry titans take steps to send out regular patches in order to prevent their products from vulnerabilities; Many start-ups and smaller companies fall short on this crucial follow through.
As more and more sensors become embedded in every part of our society, this problematic issue is only going to intensify. Security can no longer be an afterthought. Instead, it must be introduced as early in the development process as possible.
In the case of the Mirai botnet, once the device is infected, it immediately begins to uninhibitedly scan the internet for the IP address of other vulnerable devices.
Moreover, the Mirai botnet will ‘detect rival’ malware, remove it from memory and block remote administration ports. Then the device will monitor a C2 or command and control server which designates the target of the attack.
Unfortunately, the only telltale signs of the infection are occasional slowness and an increased bandwidth use. Otherwise, the infected devices continue to function normally.
Then just before the Mirai botnet Anniversary.
Checkpoint Software researchers disclosed the existence of an even more advanced IoT botnet dubbed ‘IOTroop.’
Moreover, Checkpoint disclosed that this ‘malware is increasing at a quicker pace than its predecessor the Mirai botnet, which could potentially cause even more considerable damage.’
Finally, Radware’s security evangelist Ron Winward in his latest blog, detailed that even after the Mirai botnet attack ’68 of the top 100 US websites still only have a single DNS provider for their domain.’ (Apparently, they never heard of redundancy?)
Winward stressed that ‘the next attack could be worse if the culprits target the entire global DNS infrastructure by taking down the top DNS providers.’