The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.

Last week, a massive DDoS attack against the Dyn DNS service, one of the most authoritative domain name system (DNS), caused an extended Internet outage. A large portion of internet users was not able to reach most important web services, many websites including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices has been abused by attackers to power the massive DDoS attack.

The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks.

Below the Key Findings of the report published by Flashpoint

  • Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
  • Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
  • As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.

Unfortunately, the situation could be worse because hackers are selling access to a huge botnet composed of compromised Internet of Things (IoT) devices.

The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.

“This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” Daniel Cohen, head of the RSA’s FraudAction business unit, told Forbes.

According to RSA the hackers advertised an IoT botnet that is able to power DDoS attack with a 1 Tbps of traffic, the same volume of traffic that flooded the French hosting provider OVH. It is not clear if the botnet was composed of devices infected by the Mirai malware.

The hackers were offering a botnet composed of 50,000 devices for $4,600, meanwhile 100,000 bots the price is $7,500.

iot

Cohen clarified that RSA has no evidence that the botnet is linked to infrastructure that hit the Dyn DNS service on Friday.

“Hackers have long sold access to botnets, though haven’t explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.” reported FORBES.

IoT vendors are warned of future risks of cyber attacks, the Chinese manufacturer of surveillance and home video devices targeted by the Mirai botnet, Xiongmai Technology (XM), has pushed out parched to avoid the hacking of its devices.

However, any device running firmware released before September 2015 that is still using the default username and password (well known in the hacker community) remains vulnerable to attacks that use the credentials to access the devices via Telnet.

Attacks like the one powered by the IoT botnet on Friday are difficult to mitigate, anyway, the adoption of a secondary, back-up DNS provider could make hard for the attacker to shut down the web service.

Other countermeasures are listed in the FORBES blog post.

Pierluigi Paganini