In a recent cyber threat report, McAfee provided some good intelligence on how cybercriminals use Mirai attacks to infect poorly configured Internet of Things (IoT) devices and turn them into bots used for large scale network attacks.
The report further delves into the Mirai botnet architecture, attack methods and ways organizations can defend against IoT attacks.
Intel estimates that there are 15 billion IoT devices in operation, to grow to 200 billion by 2020. Many of those devices are not secured very well. For instance, on October 21, 2016, the infamous Dyn attack made headlines when compromised IoT devices were turned into a large botnet to take down DNS service provider Dyn. The attack generated 1.2 Tbps of traffic, the largest ever on record.
Source code was later released the same month and led to “DDoS-as-a-service” based on Mirai, a more simple way for cyber crooks to execute similar attacks.
McAfee outlines the attack process as follows:
- SYN Scan for open telnet or SSH ports (establish state of comms ports w/out having to fully connect).
- Mirai launches brute-force attack using default usernames/PW.
- Mirai botnet resolves the domain name of control server (encrypted and hard coded, resolved at runtime).
- Once brute force success, malware sends IoT devices IP address and credentials to control server (or scan receiver).
- Data is saved in a database for later use and can be forwarded to load servers, which are used to test and check for IoT devices that have programs (such as wget or rftp) as needed to download and infect the device with Mirai bot.
- Each infected device can then be used to search and infect other vulnerable IoT devices.
Mirai is Linux based and capable of multiple types of DDoS attacks on layers 3, 4 and 7 of OSI model.
In a nutshell the 3 OSI layers are described as:
- Layer 3 (Network) – network addressing: routing or switching; protocols: IPSec, ARP, ICMP
- Layer4 (Transport) – end-to-end error control; protocols: TCP/UDP
- Layer 7 (Application) – message format, human machine interface; protocols: HTTP/HTTPS, FTP, SMTP
In the report, McAfee further goes into more details on the types of DDoS attacks Mirai is known for as well as architecture and code analysis for those thirsty for more technical details.
Some additional related events where Mirai was used: a Deutsch Telekom outagewas caused by an IoT device worm and in another case a protocol TR-069, used by ISPs and telecoms to remotely manage consumer routers and modems via “provisional networks,” was exploited via known vulnerability. The Mirai botnet would then spread further within the network segment to compromise devices.
Now that the source code is out there, the audience using the malware will most likely grow along with the methods of proliferation to include “as-a-service”, how-to videos to teach script kiddies to name a few.
Be wary of future more advanced IoT bots that could include ability to exploit vulnerabilties in operating systems (and industries that depend in IoT devices) and also more advanced ways to bypass detection mechanisms (such as encrypted protocols and peer networks).
McAfee further provides at least 10 good tips and guidelines to secure IoT devicessuch as:
- Research IOT devices for good security track record
- Keep IOT devices up to date and patch
- Use whitelisting where patching may not be practical
- Segment IoT devices from other parts of network via FW and IDS
- Disable unnecessary ports and services
- Change default passwords to strong PW
- Connect IoT devices using secure WiFi and WPA2
- Restrict physical access to IoT
- Disable UPnP (so they can’t be discovered via internet)
- Power cycle periodically (malware can reside in memory)
Read the full report, “McAfee Labs Threats Report: April 2017,” that also covers more details on Mirai and also background and drivers on threat intelligence sharing as well.