Threat Intelligence Brief – October 2016


Internet of Things (IoT) and the Mirai Botnet

The security community was rocked in September by a record-breaking DDoS attack. This massive assault featured approximately 1 Tbps (terabit per second) of traffic directed at a single target. The attack has been attributed to an immense botnet of nearly 152,000 “smart” devices compromised by new malware called Mirai.
Unlike most botnets, which are typically made up of compromised computers, this army of smart bots consisted mostly of hacked internet cameras and other connected smart devices – commonly known as the internet of things (IoT).

How Mirai Works:

Mirai acquires devices for botnets through scripts designed to scan the internet for vulnerable devices. Once identified, the devices can be accessed by simply logging in with default credentials, a vulnerability common among IoT devices.

The installation of the Mirai malware consists of an initial telnet into the device using default credentials, and the execution of a simple wget command to reach out to a malware host to download the Mirai malware. After the malware has been pulled back it is installed by the script and the IoT device is now part of the botnet. Currently, we have seen Mirai support several different architectures to include: spc, sh4, ppc, mips, m68k, arm, arm7, x86.

Once it has been incorporated into the botnet it can be used to execute a variety of tasks broken up into three main functional areas.

  • C2 System – Discard web requests using the tilde character.
  • Attack Routines– Various forms of attacks and protocols on which to run the attacks.
  • Network Scanner – For basic network scanning and target discovery.

Safeguarding Your Network From Mirai

By taking just a few steps you can easily reduce the likelihood that a device under your control is lost to a botnet.

Change default passwords – Compromised devices had their default credentials still in place. You should ensure that any device deployed to your network has the default password changed.

Disable remote administration – By default many devices allow for remote administration outside of the internal network. Administrative tasks should be performed internally.

Keep firmware up to date – Many device manufactures are expected to release firmware updates in response to these attacks. By default, these devices require user interaction to apply firmware patches. Ensure that you backup the current working firmware prior to installing the latest firmware and you have it locally in case the update fails, leaving you with a broken device.

Require the use of authenticated and encrypted protocols – By using Telnet, FTP and HTTP you are risking yourself to compromise, instead use SSH, SFTP and HTTPS instead.

Once it has been incorporated into the botnet it can be used to execute a variety of tasks broken up into three main functional areas.


Why Your Smart Devices Are Easy Targets

When is the last time you updated the firmware for your webcam? Your smart TV? Your smart car? Your doorbell camera? If you have devices in your home, office, or on your body that connect to the internet–whether by Wi-Fi or by cellular data networks–you are vulnerable to be hacked. These devices are just afterthoughts of security for most people these days. Due to the vulnerability of IoT, hackers are more likely to go after this “low-hanging fruit” than to spend months finding a vulnerability on a PC or network. Follow the
steps outlined in this blog by Jeff Schilling, CISM, Armor, to secure your IoT devices.

Learn more on the Armor Blog


The Infamous ‘Mirai’ IoT Malware Has Hit The Dark Web

The malware code responsible for infecting hundreds of thousands of smart devices has been released in the dark web forum, Hackforums. An anonymous user posted it for free on the forum in late September claiming that the tool is losing its effectiveness. This is both good and bad news: On one hand, this acknowledges researchers targeting the malware. By honing in on the tactics, techniques and procedures (TTPs) used by the threat actor, threat intelligence analysts are getting closer to attribution. However, by posting the source code, other hackers can launch similar attacks. This makes detection and attribution even more difficult for law enforcement.

Get the full story