When Mirai was unleashed a little over six months ago targeting security journalist Brian Krebs’ site with an unprecedented denial of service attack (DDoS) attack that reached 620 Gbps, everyone asked, “What will happen next?” We at Armor stated there would be an initial lull in the record-breaking DDoS activity that would coincide with an upspring of copycats leveraging the botnet and its compromised Internet of Things (IoT) devices. Eventually, we predicted, Mirai would be locked down by either a black hat (malicious actor) or a white hat (vigilante) hacker. Each would seek to harden the compromised IoT devices to prevent others from exploiting them. The difference being, the vigilante would believe they are doing good, while the malicious actors seek to monopolize them.

Bots are a valuable commodity in the world of DDoS as a service, and it is common for hackers to fight each other for control of the millions of unsecured endpoints. The original released source code for Mirai is a prime example; the last hacker to use it is the one left in control.

Enough time has elapsed, and we now see the vigilante(s) emerging. The latest claims to be the author of Hajime, a continuously evolving IoT worm building a huge P2P botnet with the power of 300,000 devices introduced last month.

However, this “vigilante” claim simply doesn’t add up. To reach this conclusion, there are important questions that must be addressed.  Has the villain changed their pursuit and this an attempt at redemption? Why would someone weigh down their good actions with the history of their bad behavior? Especially when living in a world of aliases. A passion of those that commit crimes is the desire not to get caught, so why leave this artifact? It just doesn’t add up.

Another question if this truly is the author of Hajime, is how can we trust this newfound good favor? Did they actually throw the keys to all these endpoints away?

Unfortunately, this is the beginning of another waiting game. Only time will uncover if they are truly driven by altruistic reasons or, they have worked to centralize power under the guise of benevolence and generosity.

Either way, vigilante or threat, this is a glaring reminder to secure your devices, many of which have the bare minimum of security requirements. To avoid being a contributor to DDoS attacks, don’t let hackers manage your password policy, do your part to be a good internet citizen!

What new twist is coming? Persistence.

I’m sure most everyone has heard the phrase ‘persistence is key’. It could be a motto for hackers constantly try to penetrate targets and shows an impressive amount of patience in the process. However, no one has worked to persist on IoT but, my gut tells me that it’s next on the docket.

The fact is, Mirai has had a fleeting relationship with its endpoints, often using devices for short periods of time before being kicked off or transitioning to another without losing strength or impact. Further, and most significantly, it doesn’t use the endpoint for their true value; bridging to internal networks. Controller(s) only currently care about using them for DDoS weaponization.

But, once these threat actors care about embedding and infecting devices for the long term and using them to more extensively infiltrate internal networks, we will see a significant game-changer. Once we observe persistence and data exfiltration in the wild, security and GRC policies will be tested. So, what’s the best advice for now?

The answer is quite succinct: Encrypt while you can and remember to patch always!