Cybersecurity firm Flashpoint has traced Friday’s widespread internet outage to the Internet of Things, according to cybersecurity expert Brian Krebs.
The cyberattacks which affected popular websites from Twitter to Reddit are the result of malware called “Mirai”, which manipulated smart technology to take the sites offline. The malware used vulnerable technology to launch a Distributed Denial of Service attack, overwhelming the web service DYN with traffic resulting in slow Internet speeds and offline sites.
Here’s everything you need to know about ‘Mirai’:
1. IoT Botnet ‘Mirai’ Targets Vulnerable ‘Smart’ IoT Technology and Turns Them into ‘Bots’
Like a parasite, ‘Mirai’ will use a host to launch cyberattacks. The botnet scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, according to Kreb’s blog KrebsOnSecurity. Botnets can exploit weak security measures such as standard password and username combination (eg admin, 1111) across devices. These systems are infected with malware, which directs them to a central control system, where they are prepared to launch an attack to take websites offline. Here is a list of the services that were down.
According to HackRead, ‘Mirai’ can break into a wide range of IoT devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots’. There are nearly half a million Mirai-powered bots worldwide, according to telecommunications company and internet service provider (ISP) Level 3 Communications. Here are the countries with the highest concentrations of IoT devices:
- United States: 29 percent
- Brazil: 23 percent
- Colombia: 8 percent
2. ‘Mirai’ Took Out Amazon, Spotify, Twitter and More Websites in a DDOS Attack
The morning of October 21 saw widespread internet outages caused by a massive DDOS attack, which overwhelmed the web service with traffic. Krebs reported that cybersecurity firm Flashpoint traced the hack to Mirai. The journalist’s own website, krebsonsecurity.com, was taken down by Mirai-powered DDOS attack. The cyberattack on Friday targeted Internet traffic company DYN, which provides services for websites like Amazon, Spotify and Twitter. Other botnets may have been behind the attack reports Politico’s cybersecurity reporter Eric Geller.
In an interview with CNBC, DYN said that the attacks were “well planned and executed, coming from tens of millions IP addresses at same time.” The Department of Homeland Security and White House are also looking into the attack. NBC News reports that one official ruled out North Korea as a suspect.
3. ‘Mirai’s Author Has an Avi of Anime Character Anna Nishikinomiya and Mirai Means “Future” in Japanese
The person who created the botnet is nicknamed ‘Anna-Senpai’ and has an avi of the anime figure Anna Nishikinomiya. Anna appears in the Japanese novel series Shimoseka, which is set in a dystopian future filled with morality police.
As the student council president of a prominent ‘morality school’ Anna is the enforcer of public morality laws according to MyAnimeList. The word ‘Mirai’ also has Japanese origins meaning ‘future’ in Japanese. A manga series called ‘Future Diary’ also describes a dystopian society modeled after the battle royale (think Hunger Games) where each contestant has a diary with notes written from the future.
‘Mirai’ is also part of a family of malware that infects IoT devices through default usernames and passwords. The other malware that has been used to create an IoT device army is called “Bashlight”. While these two strains of malware compete with each other, research from Level 3 suggests that they target some of the same devices. Currently, “Bashlight” is creating an army of a million IoT devices.
“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer told KrebsOnSecurity.
4. You Can Wipe Off the Malware From an IoT System But Recurrence is Likely
It’s possible to clean an IoT system infected by ‘Mirai’, but the botnet scans systems so often that there’s a high chance of recurrence. You can destroy the malicious code by rebooting the computer, but experts warn that vulnerable IoT devices can be re-infected in minutes.
This is bad news for cybersecurity as the IoT devices market heats up as people buy into the smart, automated systems. Gartner Inc. projects connected devices to rise to 6.4 billion worldwide in 2016 with almost 5.5 million devices being connected daily.
Telecommunications company Level 3 advised users to upgrade devices and set strong passwords, according to the Wall Street Journal. For a more sustainable solution to DDOS attacks, Krebs says ISPs will need to protect their networks from spoofing, where the attacker sends messages as the victim website and generates a huge amount of traffic. He added that the lack of these safeguards could lead to online censorship.
5. Source Code for ‘Mirai’ Botnet was Released Publicly Which Opens the Door for Future Botnet Attacks
After weathering an attack from the ‘Mirai’ botnet, KrebsOnSecurity reported that the code that powers ‘Mirai’ was made publicly available on HackForums. The hacking community has access to information they can use to infect millions of smart devices. The source code for the scanner is also located on code-sharing website Github and has been copied at least 1000 times as of this posting.
The Mirai author’s post claims to provide all the source code to set up a working botnet under one hour. Here is an excerpt from the Github forum post:
When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
In response to a Github user’s request to take down the code, Github user James-Gallagher said it would serve to prepare security analysts for future attacks.
Indeed it may be a little peculiar putting the source code here on Github however every security researcher should be able to see this, to study and analyse it. As for people like me who control massive services on a large number of services, this has helped better understand the botnet and how I can protect my services from it. Hence why of course this should be available to everyone…There will be more powerful botnets coming soon, this is the beginning of a dark future.