Saturday, October 22, 2016

Apparently Yesterday's IoT Attack on the Internet Was Due To Security Flaws In One Chinese Manufacturer's Products (and the malicious fools who used them in a botnet)

By the journalist/investigator whose site was attacked in what appears to be the first use of the botnet code.
From Krebs on Security, Oct. 21:

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
 l3outage
A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company.
 Source: Level3 Communications.
At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn....MORE
See also Krebs Oct. 19: Spreading the DDoS Disease and Selling the Cure

Last month:
Uh Oh: Internet Security Pro Hit By Botnet Made Of Internet-of-Things Connected Cameras
This is very bad.