The dreaded Mirai Trojan that is responsible for massive recent DDoS attacks, has struck again: This time at the heart of the US’ Internet. The scary malware, whose code was released to the Internet around a month ago, is causing a sudden surge in attacks. On Friday, an assault on the Domain Name System (DNS) provider Dyn caused a number of high-profile websites to be shut down. The blackout was caused by a DDoS attack that came from millions of different IP addresses.
Last week, the French web host OVH was attacked by the Mirai Trojan, in a record-breaking 1.5 Tbps DDoS attack. At that time, security researchers at Akamai revealed that the malware was using IoT devices located all over the world to launch the attacks. Mirai uses a Linux-based feature that IoT devices ship with called Transmission Control Protocol (TCP) to set up a massive botnet of poorly configured IoT devices.
Mirai on the loose
With the code for Mirai freely available online for any cyber criminal that wants it, security researchers warned that the sudden surge in attacks may ramp up further. Now, those concerns have been validated by the assault on Dyn, which some cybersecurity experts are saying nearly brought down the US’ Internet.
The attack on Dyn’s servers – a primary DNS provider – temporarily wiped out large chunks of the US’ Internet. The result? Blackouts for major websites and web services such as Twitter, Pinterest, GitHub, PayPal, Spotify, Amazon, Reddit, and Netflix.
Cybersecurity firm Flashpoint has confirmed that much of the attack was coming from the Mirai Botnet of Internet-connected devices. That means that conceivably your connected thermostat or CCTV system – or any other IoT device – could have been part of the attack on Dyn that caused the massive Internet blackouts.
The problem is twofold. Firstly, when many people buy IoT devices they fail to update important security settings and instead leave their devices configured with passwords such as ‘admin’. This allows the Mirai software to swoop in and take control of the device, making it part of the attack botnet. Secondly, the malware makes use of the TCP feature in those devices for forward messaging, which allows the device to be utilized in the DDoS attacks.
What cybersecurity experts have noted, is that Friday’s attack on Dyn was extremely well coordinated. That means it is likely that some rather sophisticated hackers were behind Friday’s Mirai attack.
Since it was dumped on the Internet, information security analysts have noticed a sudden surge in the use of Mirai. Apart from on a couple of occasions, however, those attacks were quite small and appeared to be ‘script kiddies’ trying out their new toy.
Friday’s attack was entirely different, leading cybersecurity firms to question the origin of the attack. John McAfee, the somewhat eccentric cybersecurity expert that started the anti-virus company McAfee has come forward with his belief that the attack originated in North Korea.
The East-Asian regime, which is believed to have attacked Sony back in December of 2014, is apparently to blame – according to rumors on the dark web. McAfee says he agrees and believes that the North Korean elite hacking group Bureau 121 is behind the attack. Bureau 121 is a group of around 2,000 state-sponsored hackers who work for Kim Jong-un’s regime.
At the moment, there is little evidence that North Korea was actually behind the attack. Also, according to McAfee – even if it was Bureau 121 – the attack would likely look like it came from Russia, China, or some group within the U.S. Such is the incredible ability of the NK hacking collective.
A different point of view
So why does he think it was North Korea? McAfee is well connected to sources on the Deep Web that apparently see things differently to most people. According to those sources, the DNC hack (which the US is blaming on the Russians) was carried out by hackers in Iran. It is those same sources that believe North Korea attacked Dyn.
For now, the jury will have to stay out on that one. McAfee, however, is convinced and believes he knows even more of the puzzle,
‘Bureau 121 left trails to an American company that offers services to counter DDoS attacks.
Backconnect is the name of the company that Bureau 121 is trying to implicate. Backconnect has a history of spoofing IP addresses, so they make a perfect fall guy.’
In further news to do with Friday’s scary attack, a Chinese webcam manufacturer has recalled many of its products. According to some cybersec analysts, Hangzhou Xiongmai Technology has been selling webcam products with very simple usernames and passwords. Even worse than that, some of their products can’t be updated by end users.
That means that Mirai could well be employing many of those webcams in its botnet, and there is nothing that consumers could do (other than to stop using their webcam altogether) to cease being part of the attack mainframe. The Chinese firm has come forward to say that it believes most of the time it is the end user’s fault for not updating security settings. The recall of some of its products, however, lends credence to the story that some of the products can’t be secured properly.
‘Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,’ said the firm.
Finally, Vince Warrington, the director of UK cyber security firm Protective Intelligence has also come forward with comments about the IoT botnet,
‘We used to joke about our toasters taking down our banks. Right now, it’s the hackers who are laughing.’