April 13, 2018 at
Insikt Group of Recorded Future, after analyzing metadata and freely available information, has reached the conclusion that a variant of the botnet was used to launch a series of attacks on the 28th of January. The initial attack of the three used DNS amplification and had a traffic volume of 30Gbps. However, they could not establish the intensity of the other two.
The researchers suspect that the botnet is linked to the IoTroop (also knows as Reaper) botnet. The IoTroop is considered ‘powerful’, and consists of a large number of affected IoT devices, like IP cameras, home routers, DVRs, and TVs. The compromised items are from distributors such as AvTech, GoAhead, Linksys, MiktroTik, TP-Link, Synology, and Ubiquity.
The botnet IoTroop has first been identified in the October of 2017. Analysts stated that the malware distributing the botnet singularly used a flexible programming language (Lua) that made fast and on-the-fly updates possible. IoTroop targets vulnerabilities, and can also be quickly updated to attack newly exposed ones. The botnet was able to launch its attacks by using default passwords and other credentials.
Insikt Group reports that if this is indeed the same botnet, it has evolved since its initial discovery to target more devices, and indeed will likely go on to attack even more. As such, some devices believed in October to be protected from these attacks have now been compromised.
The Mirai botnet source code has been released in the October of 2016, and the following months have seen a series of attacks using variants. In November, 1 million of Telekom routers were taken offline in Germany, while in January the following year, a variant named Satori targeted Huawei routers.
Summary of the Attack
Threat researchers utilized a series of metadata, as well as unusual port usage on routers to assess the botnet’s function and actions. They were able to determine that 80% of the attacks exploited vulnerabilities in MikroTik routers. Webcams, DVRs, and TVs were also compromised.
The analysis further revealed the geographic spread of the botnet. An overwhelming portion of the attacks took place in Russia, while other affected countries include, but are not limited to Brazil, Ukraine, China, and the United States.
The threat researchers emphasize the importance of keeping the pace with the evolving botnets. As they learn to target new openings, companies and users must strive to eradicate such vulnerabilities.
The suggested preventative steps are to immediately change default passwords, keep the firmware and software updated, disable unused services, close unused ports, and to consider using a VPN.
Read Insikt Group’s report here: https://www.recordedfuture.com/mirai-botnet-iot/