A massive botnet of hacked Internet of Things devices has been implicated in the cyberattack that caused a significant internet outage on Friday.
The botnet, which is powered by the malware known as Mirai, is in part responsible for the attack that intermittently knocked some popular websites offline, according to Level 3 Communications, one of the world’s largest internet backbone providers, and security firm Flashpoint.
On Friday morning, someone targeted Dyn, a company that offers core internet services for popular websites such as Twitter, Spotify, Github, and many others. The attack mainly targeted Dyn’s Domain Name System (DNS) management services infrastructure on the East Coast of the United States, according to the company.
60 Comments
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Researchers: Friday’s internet outage, caused by DDoS attack on DynDNS, was powered in part by a Mirai-based botnet of DVRs and cameras with XiongMai components — A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
http://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company
Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.
“At least one Mirai [control server] issued an attack command to hit Dyn,”
As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.
“The issue with these particular devices is that a user cannot feasibly change this password,”
The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.
Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.
Tomi Engdahl says:
Michael Kan / Computerworld:
Xiongmai admits its products were part of Mirai botnet, says it patched the flaws in September 2015 but older devices still vulnerable — Botnets created from the Mirai malware were involved in the cyberattack — A Chinese electronics component manufacturer says its products inadvertently played …
Chinese firm admits its hacked products were behind Friday’s DDOS attack
Botnets created from the Mirai malware were involved in the cyberattack
http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html?nsdr=true
A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.
Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.
According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage.
“Mirai is a huge disaster for the Internet of Things,” Xiongmai said in an email to IDG News Service. “(We) have to admit that our products also suffered from hacker’s break-in and illegal use.”
Mirai works by enslaving IoT devices to form a massive connected network. The devices are then used to deluge websites with requests, overloading the sites and effectively taking them offline.
Because these devices have weak default passwords and are easy to infect, Mirai has been found spreading to at least 500,000 devices, according to internet backbone provider Level 3 Communications.
Tomi Engdahl says:
Funny comment from http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html?nsdr=true by Jerry:
I can just see some review board at DHS
‘Wait, you mean to tell me a TOASTER RUNNING JAVA DID THIS ? ‘
‘No sir, it wasn’t JUST the toasters this time, it was the Refrigerators AND the Washing Machines.’
‘Those Maytag’s – they can really network together’.
Ugh if this was oversight by China.
Ugh if not.
Tomi Engdahl says:
Who Should We Blame For Friday’s DDOS Attack?
https://it.slashdot.org/story/16/10/23/2135246/who-should-we-blame-for-fridays-ddos-attack
“Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list, tweeted Trend Micro’s Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras.
Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.
If you’re worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices.
Tomi Engdahl says:
Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks?
https://ask.slashdot.org/story/16/10/24/0418205/slashdot-asks-how-can-we-prevent-packet-flooding-ddos-attacks
Just last month Brian Krebs wrote “What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale,” warning that countless ISPs still weren’t implementing the BCP38 security standard, which was released “more than a dozen years ago” to filter spoofed traffic. That’s one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen:
PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding…
“We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure.” I
Is the best solution technical or legislative — and does it involve hardware or software?
Comments:
Why not both?
Why is it so hard to grasp the concept that both a problem and a solution can be more than ONE THING?
Technical measures that prevent address spoofing are quickly becoming obsolete anyway; AFAICT, the recent attacks on Krebbs and Dyn, the two biggest DDoS attacks ever, didn’t use spoofed source addresses. A spoofed address is only useful in an amplification attack, where you send a small request which provokes a much larger response; then if you don’t spoof the source address, you get a huge firehose of responses coming at you and it’s you that gets DDoSed, not the target.
In this case, the attackers didn’t bother spoofing source addresses, because they didn’t use an amplification attack; they just used a huge botnet all making ostensibly-valid requests and each device dealing with the response individually. It looks like the only way we have of preventing this sort of attack is to make the devices secure – easier said than done.
As most of this traffic was “genuine”, i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it’s hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.
The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.
Quite literally “please block anything from these IP’s or traffic that matches this pattern”.
But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.
Tomi Engdahl says:
That massive internet outage, explained
https://www.cnet.com/how-to/what-is-a-ddos-attack/
What even happened on Friday? Your favorite websites were down, and it was all because one company got attacked. Here’s how it happened, and why it’s likely to happen again.
Why Friday’s Massive Internet Outage Was So Scary
Hackers have turned our cheap electronic devices against us. And at this rate, it’s only going to get worse.
https://newrepublic.com/article/138084/fridays-massive-internet-outage-scary
Tomi Engdahl says:
http://www.outageanalyzer.com/
Tomi Engdahl says:
Webcams involved in Dyn DDoS attack recalled | TechCrunch
http://www.epanorama.net/newepa/2016/10/24/webcams-involved-in-dyn-ddos-attack-recalled-techcrunch/
https://techcrunch.com/2016/10/24/webcams-involved-in-dyn-ddos-attack-recalled/?sr_share=facebook
Tomi Engdahl says:
Mirai Botnets Used for DDoS Attacks on Dyn
http://www.securityweek.com/mirai-botnets-used-ddos-attacks-dyn
Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.
The first attack started on Friday at 7 am ET and it took the DNS provider roughly two hours to mitigate it. During this time, users directed to the company’s DNS servers on the east coast of the U.S. were unable to access several major websites, including Twitter, Reddit, GitHub, Etsy, Netflix, PagerDuty, Airbnb, Spotify, Intercom and Heroku.
A few hours later, a second, more global attack led to some users having difficulties in accessing the websites of Dyn customers. This second attack was mitigated within an hour. A third attack attempt was also detected, but it was mitigated before impacting users.
Dyn Chief Strategy Officer Kyle York pointed out in a blog post that the company “did not experience a system-wide outage at any time.”
Akamai and Flashpoint have confirmed that the attacks leveraged Mirai botnets and Dyn said it had observed tens of millions of IPs involved in the incident.
Dyn Statement on 10/21/2016 DDoS Attack
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
It’s likely that at this point you’ve seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We’d like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.
I also don’t want to get too far into this post without:
1. Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.
2. Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.
3. Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.
Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet
After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET.
News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.
Tomi Engdahl says:
Twitter, Others Disrupted by DDoS Attack on Dyn DNS Service
http://www.securityweek.com/twitter-others-disrupted-ddos-attack-dyn-dns-service
Twitter, GitHub and several other major websites are inaccessible for many users due to a distributed denial-of-service (DDoS) attack on the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.
The list of affected websites includes Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom and Heroku.
GitHub has informed users that its upstream DNS provider is affected by a “global event.”
According to Dyn, the DDoS attack aimed at its DNS service started at roughly 11:10 UTC. The company is working on mitigating the attack, which appears to mainly impact customers in the east of the United States. People in Europe and Asia have reported that they can access the affected sites.
Tomi Engdahl says:
Hacker group claims responsibility for cyberattacks
http://www.silive.com/news/index.ssf/2016/10/hacker_group_claims_responsibi.html
Withering cyberattacks on server farms of a key internet firm repeatedly disrupted access to major websites — including SILive.com — and online services including Twitter, Netflix and PayPal across the United States on Friday.
The White House called the disruption malicious and a hacker group claimed responsibility, though its assertion couldn’t be verified.
Manchester, New Hampshire-based Dyn Inc. said its data centers were hit by three waves of distributed denial-of-service attacks, which overwhelm targeted machines with junk data traffic.
“What they are actually doing is moving around the world with each attack.”
The data flood came from tens of millions of different Internet-connected machines — including increasingly popular but highly insecure household devices such as web-connected cameras.
Dyn provides services to some 6 percent of America’s Fortune 500 companies
Members of a shadowy collective that calls itself New World Hackers claimed responsibility for the attack via Twitter. They said they organized networks of connected “zombie” computers called botnets that threw a staggering 1.2 terabits per second of data at the Dyn-managed servers.
“We didn’t do this to attract federal agents, only test power,”
The collective, @NewWorldHacking on Twitter, has in the past claimed responsibility for similar attacks against sites including ESPN.com in September and the BBC on Dec. 31. The attack on the BBC marshaled half the computing power of Friday’s onslaught.
The collective has also claimed responsibility for cyberattacks against Islamic State.
the incident was an example of how attacks on key junctures in the network can yield massive disruption.
Tomi Engdahl says:
Twitter Account Shows Mirai Botnets Using Your Security Camera In Cyber Turf War
http://motherboard.vice.com/read/twitter-account-shows-mirai-botnets-using-your-smart-fridge-in-cyber-turf-war
In the wake of a major cyber attack that blocked access to popular websites along the East Coast on Friday, security researchers have created a Twitter account that posts live updates of ongoing distributed denial-of-service (DDoS) attacks being launched by massive armies of smart devices compromised by malware known as Mirai.
The account, called Mirai Attacks, includes updates showing the IP addresses being targeted by the zombie botnets bearing the malware’s digital signature, which currently include over half a million infected Internet of Things devices like security cameras and smart TVs.
https://twitter.com/MiraiAttacks
Tomi Engdahl says:
Webcams used to attack Reddit and Twitter recalled
http://www.bbc.com/news/technology-37750798
Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.
Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.
They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.
Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.
The web attack enrolled thousands of devices that make up the internet of things – smart devices used to oversee homes and which can be controlled remotely.
In a statement, Hangzhou Xiongmai said hackers were able to take over the cameras because users had not changed the devices’ default passwords.
Xiongmai rejected suggestions that its webcams made up the bulk of the devices used in the attacks.
“Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
It has also pledged to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.
Could this happen again?
Yes, and it probably will. The smart devices making up the IoT are proving very popular with the malicious hackers who make their living by selling attack services or extorting cash by threatening firms with devastating attacks.
Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. Running such a network is hard and often machines had to be rented for a few hours just to carry out attacks. Now anyone can scan the net for vulnerable cameras, DVRs and other gadgets, take them over and start bombarding targets whenever they want.
Why should I care if my webcam is hijacked?
For the same reason you would care if your car was stolen and used by bank robbers as a getaway vehicle.
And because if your webcam, printer or DVR is hijacked you have, in effect, allowed a stranger to enter your home. Hackers are likely to start using these gadgets to spy on you and scoop up valuable data. It’s worth taking steps to shut out the intruders.
Can the IoT-based attacks be stopped?
Not easily. Many of the devices being targeted are hard to update and the passwords on some, according to one report, are hard-coded which means they cannot be changed.
There is also the difficulty of identifying whether you are using a vulnerable product. A lot of IoT devices are built from components sourced from lots of different places. Finding out what software is running on them can be frustrating.
Also, even if recalls and updates are massively successful there will still be plenty of unpatched devices available for malicious hackers to use. Some manufacturers of cheaper devices have refused to issue updates meaning there is a ready population of vulnerable gadgets available.
Why are these devices so poorly protected?
Because security costs money and electronics firms want to make their IoT device as cheap as possible. Paying developers to write secure code might mean a gadget is late to market and is more expensive. Plus enforcing good security on these devices can make them harder to use – again that might hit sales.
Who was behind the massive web attacks?
Right now, we don’t know. Some hacker groups have claimed responsibility but none of their claims are credible.
Tomi Engdahl says:
Chinese Company Recalls Millions of IoT Devices After DYN Attack
https://www.tripwire.com/state-of-security/latest-security-news/chinese-company-recalls-millions-iot-devices-dyn-attack/
A Chinese technology company has recalled millions of Internet of Things (IoT) devices following a digital attack against the Internet performance management company DYN.
As quoted by KrebsonSecurity.com, Dyn had this to say:
Flashpoint told Brian Krebs that a specific set of credentials scanned for by Mirai bots – username: root and password: xc3511 – is hardcoded into the device firmware of a number of IoT devices produced by a a Chinese company called XiongMai Technologies, meaning someone can’t change an affected device’s username or password via a web admin panel.
Perhaps in recognition of that fact, XiongMai Technologies issued a recall of millions of its network cameras and other devices on 24 October.
In a statement, the Chinese company says three conditions must all be met for hackers to obtain access to the products:
The devices must predate April 2015 when XiongMai Technologies instituted a new firmware upgrade program.
The default login credentials must still be activated on those products.
A public network must directly expose itself to the devices without the use of a firewall.
XiongMai Technologies says hackers can’t abuse its products absent any one of those criteria.
IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/
A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.
Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.
In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”
default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.
The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.
In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.
Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry which first reported the news of potential litigation by XM — said that over the past five years China’s market share in the video surveillance industry has surged, due to the efforts of companies like XiongMai and Dahua to expand globally, and from the growth of government-controlled security company Hikvision.
Tomi Engdahl says:
Device Makers Face Legal Trouble Over Internet of Things Attack
http://fortune.com/2016/10/25/dyn-lawsuits/
The legal test looks at consumer harms.
Who should be held responsible for last week’s security breach that took out parts of the Internet?
That question is becoming more pressing as regulators and the public begin to grasp the implication of the first major “Internet of things” attack, in which hackers hijacked millions of everyday devices such as security cameras and printers, and cut off access to major websites like Amazon and Twitter for hours at a time.
Increasingly, the security community is focusing on the role of the device makers, whose products contained a major security flaw. Namely, the companies did not require consumers to change a default password, which is what made it so easy for hackers to conscript so many Internet-connected devices into the botnet army that carried out last week’s attack.
Some of the companies, which include little-known Chinese manufacturers but also familiar names like Panasonic and Xerox, have begun a recall of the devices. But for now, many of their products remain out in the wild with their software “unpatched.” That means they remain compromised. Worse, hackers have released the source code to control the botnet army, meaning future attacks using devices of this nature are all but certain.
This raises the question of whether the device makers should be held legally responsible. Even though they had no role in directing last week’s attack on the Internet, such an attack was not hard to foresee—especially since there have been reports of compromised cameras, and other Internet-enabled devices, for years.
According to Michael Zweiback, an attorney with Alston & Bird and a former cyber-crime prosecutor, legal action is most likely to come in the form of lawsuits, and investigations by the Federal Trade Commission and state attorneys general.
A harder question is whether U.S. consumers who purchased the compromised devices, which also include network routers and baby monitors, can bring lawsuits of their own.
While class action lawyers may be watching the situation closely, a legal victory would be no sure thing. Even though the companies appear to have been negligent by failing to introduce tougher password protection, consumers would still have to show they were harmed. And right now the test for showing harm is unclear.
The situation is different for Dyn, the Internet service company that was the direct target of last week’s attack by the millions of compromised devices, since the firm had to directly absorb the cost of the attack.
Tomi Engdahl says:
Chinese tech giant recalls webcams used in Dyn cyberattack
http://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cyberattack/
A number of the company’s US-sold products were used in the attack, which prevented millions of users from accessing dozens of high-profile websites.
A Chinese manufacturer of internet-connected surveillance cameras has recalled a number of its products said to have been used in Friday’s cyberattack.
The three-wave attack against Dyn, a managed domain name system provider, lasted almost all day, leaving millions on the US east coast unable to access dozens of high-profile websites.
In a statement, Xiongmai said hackers were able to hijack hundreds of thousands of its devices into a botnet because users had not changed the devices’ default passwords.
The botnet then flooded Dyn’s servers with traffic, which led to its systems overloading and failing. Websites that relied on Dyn’s managed domain name system, including Reddit, Spotify, and Twitter, appeared offline.
But the company rejected claims that its devices made up the bulk of the attack.
“Security issues are a problem facing all mankind,” the statement said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
The company confirmed that it will recall some of its older products sold in the US made before April 2015 in an effort to improve its password functionality.
Tomi Engdahl says:
Chinese Company Recalls Cameras, DVRs Used In Last Week’s Massive DDoS Attack
https://www.techdirt.com/articles/20161024/08552535872/chinese-company-recalls-cameras-dvrs-used-last-weeks-massive-ddos-attack.shtml
For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.
Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday.
Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR
Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack
For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year.
And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.
Tomi Engdahl says:
Krebs has compiled a list of devices he says are responsible for the attack.
Who Makes the IoT Things Under Attack?
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.
Tomi Engdahl says:
Mirai Botnet Linked to Dyn DNS DDoS Attacks
https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/
Key Takeaways
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
Flashpoint will continue to monitor the situation to ensure that clients are provided with timely threat intelligence data.
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.
Tomi Engdahl says:
Ask HN: How did Dyn fail to fend off DDOS?
https://news.ycombinator.com/item?id=12769196
I would like to remind those that think all is lost with this:
A serious conversation with vendors about default passwords and backdoors post this incident will help prevent recurrence. This has forced this talk and we are better for it.
There was a time when your windows box would get popped from being online for more than 4 minutes. We recovered from this. Conficker in 2008. Blaster in 2003. It was a ‘BIG BOTNETS OH NO’, but we cleaned up, recovered, hardened. Microsoft went from being botnet enabler to an active force in dismantling bots and crime rings. It sucks, and some of us have a bad day, but we recover ever stronger.
XiongMai Technologies may well find themselves in some international hot water over this incident, and I think they deserve it. They sold a faulty product that caused billions of dollars in lost revenue to some very large internet properties for a day in October 2016. I would encourage vendors look at these incidents from last decade and how these were turning points for upping their security game. I would encourage its victims to investigate legal recourse.
Specifically the current vulnerable nodes of Mirai, i am sure these will be removed from the internet pretty soon. One only gets to fire something like this a few times before the feds are on the door.
Your regularly scheduled program will commence shortly.
> US consumer law allows suing everybody in the supply chain
IIRC, US consumer law requires the consumer to be the victim. (IAAL/NY, but not practicing) This restriction is called privity – the exceptions to privity are narrow, and no exception comes to mind here.
In this case the primary victims, the online services, are third parties, with any consumer recourse blocked by privity.
These third parties arguably have a couple options, though. The first and perhaps most theoretically interesting is the “class defence”, the procedural complement of a “class action”, where a few people (the third party online services) can sue multitudes (owner-operators responsible for malicious devices on the Internet) in a single process. Were such a case brought forward, these consumers could sue the manufacturers for indemnity. While as a litigator this makes the most theoretical sense, and this procedure exists in at least one jurisdiction I know of, I have never seen it tested.
Arguably a better option would be for the third parties to sue the manufacturers for negligence, based on the obligation that the manufacturers have to the public.
Any litigation is fraught with uncertainty though, not least of which is having a member of the judicial bench who is capable of properly evaluating the facts (which is not to say they are not out there, but they remain rare).
Like most externalized costs, the recourses of affected individuals are slim and ineffective.
> If Homeland Security tells the Consumer Product Safety Commission this is a national safety issue, the CPSC can order a recall
Proper regulation is a better choice, IMHO, though I don’t know what the best process might be.
gorbachev 3 days ago [-]
That’s a game of whack a mole, and even if you whack them down, the devices are already out there and are going to stay online for years.
The only thing that will make a dent at the problem quickly, is wholesale filtering of all Internet traffic by all network providers originating from the IP addresses identified for being part of these botnets.
ryanlol 3 days ago [-]
>The unfortunate truth is that with the Internet of Things the amount of devices that can easily be taken over has grown so fast that we see DDoS attacks of unprecedented size.
Not quite, the “IoT” botnets are particularly small in the great scheme of things. Google “conficker” for example.
Edit: Interesting how this is getting downvoted so much. Conficker had up to 15 million nodes, far bigger than any “IoT” net (when did home routers become IoT anyway?). It’s far easier to build such huge windows nets because you get millions of insecure computers with relatively standard hardware and software, not so much with “IoT”.
In the past decently sized botnets simply weren’t used to send DDoS attacks as much, that’s all that’s changed.
Silhouette 3 days ago [-]
The real question here is whether there was anything they could realistically have done to prevent it at all.
In order to defend against a DDoS attack, you really only have two options. One is to have sufficient capacity to cope with the extra load without undermining your normal service. The other is to reduce the amount of extra load you have to handle, by identifying and blocking the hostile traffic at some point before your main system deals with it fully.
In this case, the scale of the attack was huge thanks to all the woefully insecure IoT devices out there. But worse, from the initial reports it appears that the requests being sent were effectively indistinguishable from valid DNS requests: they came from diverse sources, and asked DynDNS to do exactly what it’s normally supposed to do, just for random subdomains that don’t actually exist. Unless there is some pattern in those requests that allows for identification of the hostile incoming traffic so it can be dropped early, there’s probably very little DynDNS could have done here. And of course the attack is particularly effective because by taking out infrastructure rather than attacking a specific site, it brings down large numbers of high profile sites all at once.
It is disturbing, but apparently the reality we face, that there are now so many hopelessly insecure devices on the public Internet that this is possible. The best long term strategy for dealing with it seems to be trying to improve the standards of Internet-connected devices and reduce the number of highly vulnerable devices with access to the Internet, but this was always going to be difficult with IoT products aimed at the general public. I suspect some sort of remediation/recall scheme for manufacturers/vendors and some sort of throttling of users’ Internet connections to force them to respond to security recall/update notices may be necessary if this kind of attack starts to become a pattern.
beachstartup 3 days ago [-]
i think there is a larger strategy at play. this is pure speculation and anecdote.
recently there has been an aggressive uptick of dns ddos attacks against smaller companies/service providers that run their own dns infrastructure. this includes small/regional internet service providers and individual sites/hosts that still run their own servers.
in almost all of these cases that i’m aware of, the smaller companies immediately outsourced their dns services to a larger company, one that ostensibly is able to either absorb, scrub, or otherwise defend against these types of attacks.
extrapolating to a global scale, what’s happening is a forced consolidation of dns infrastructure into a handful of large players. even in the case of having redundant providers, it’s usually two very large providers. and as we just saw today, a terabit-level attack is not something we can readily defend against. what if there’s even more in reserve?
in other words, we’re putting all of our eggs into one basket. and someone is aggregating enough attack capacity to take out nearly the entire internet at once. it doesn’t help that everyone is voluntarily consolidating their infrastructure onto a small handful of public cloud providers.
we are setting ourselves up for a massive internet outage.
inetsee 3 days ago [-]
Hackers have started to use insecure Internet of Things devices, especially internet connected video cameras, to produce DDoS attacks larger than have ever been seen before. The KrebsonSecurity website was hit by a DDoS that was twice as large as the previous largest attack seen by Akemai, and there have been larger attacks since.
The problem will continue, and may get even worse, since many of the insecure internet attached video cameras are insecure because of passwords hard-coded into the devices; they can’t be easily made more secure.
meira 3 days ago [-]
Probably they got beaten because of orders of magnitude. They were prepared, but not for cyber nuclear war.
Tomi Engdahl says:
Your DVR Didn’t Take Down the Internet—Yet
https://www.wired.com/2016/10/internet-outage-webcam-dvr-botnet/
Last week ended with a mid-level internet catastrophe. You may have noticed that for most of Friday popular sites like Netflix, Twitter, Spotify (and yes, WIRED) were inaccessible across the East Coast and beyond. It’s still unknown who caused it, but by now we certainly know what: An army of internet-connected devices, conscripted into a botnet of unimaginable size. And who owns those devices? Well, lots of people are saying you do. As far as we know, they’re wrong.
A Different DVR
Let’s start with the silver lining: Despite what you may have heard, your webcam and DVR and baby monitor and smart refrigerator almost certainly aren’t complicit in last Friday’s collapse. You’re not an accessory to botnet. At least, not this time.
It’s true that what took down the internet was a botnet comprising internet-connected devices, and that those devices included hundreds of thousands webcams and DVRs, two items many people keep in their homes. That’s not the type implicated in this attack, though. As it turns out, the type of botnet in question, called Mirai, recruits not the Late Show-recording computer your cable company installed, or to the Dropcam you point out the window.
The zombie webcam army responsible for Friday’s mayhem instead consists of industrial security cameras, the kind you’d find in a doctor’s office or gas station, and the recording devices attached to them. Also? They’re mostly ancient, by technological standards.
“Most of these were developed in 2004 on down the line,”
Adding to the vulnerability of those creaking machines is that they’re often connected directly to modems, making it easier for hackers to gain control.
“That’s one minor yet important factor here to consider,” says Allison Nixon, Flashpoint’s Director of Security Research. “If I plugged in one of these DVRs to my home network, it would not be publicly accessible. I would not even have to worry about the vulnerability.”
That’s because smart home devices are typically tucked behind a firewall, on non-routable networks that don’t interact with the internet at large. “Typically those type of devices aren’t openly exposed to the Internet,”
Chain of Command
Many of the affected cameras and DVRs can be traced back to a single manufacturer: Hangzhou Xiongmai, a Chinese electronics company that has since recalled all of its potentially compromised products. Xiongmai makes what’s known in the industry as “white label” products, fully formed hardware or components that are sold to more prominent brands, which then distribute them under their own names. This makes it incredibly hard to tell if your small business is using compromised devices made by Xiongmai.
“Some of these subcomponents have their own embedded operating system, with embedded default passwords in some cases,”
Security experts are unsure if the Xiongmai recall will be successful; it’s hard enough to motivate people to return their car to the dealer, much less a security camera of unknown provenance. The path forward to prevent another devastating botnet attack is equally unclear. What the Mirai incident did show, though, is that IoT’s security problems run deeper than whatever name is on the box the device comes in. And that has implications beyond a large-scale internet outage.
“Even though the DDoS was bad, it brings to light the failure around the supply chain management problem,” says Heiland.
That ubiquity isn’t entirely without reason. The IoT market as a whole was worth $600 billion in 2014, according to a recent study from Grand View, which expects it to grow to nearly two trillion dollars by 2022. With numbers that robust, what company wouldn’t want a sliver?
The problem with this proliferation, though, is that not all of these companies are skilled at connecting appliances and other electronics to the dangerous wonderland that is the internet. Fortunately for them, competence has not been a barrier to entry. Not as long as there are white label providers like Xiongmai.
“So many vendors that are making available IoT-based technology don’t necessarily have any idea how to produce those products,” says Heiland. “There’s a toothbrush company out there with embedded technology in their toothbrush now. They may not understand security implications, or have a solid security management program, so when issues are identified they don’t know how to fix the problems, or even know how to approach those problems.”
More can go wrong than just a botnet. In one high-profile supply chain issue, insecure, internet-connected baby monitors from several different manufacturers allowed voyeurs to watch (and even talk to) small children from half a world away.
So no, your DVR didn’t bring down Spotify last week, and your webcam didn’t crash Reddit. That honor goes largely to more industrial products. That doesn’t mean they’re necessarily safe, though. Or if they are, that they’ll stay that way.
“People shouldn’t be afraid of their light bulb,” says Wikholm. Yet. But you should be aware that if it has an internet connection, that bulb could be turned against you.
Tomi Engdahl says:
Beijing threatens legal action over webcam claims
http://www.bbc.com/news/technology-37761868
The Chinese Ministry of Justice has threatened legal action against “organisations and individuals” making “false claims” about the security of Chinese-made devices.
It follows a product recall from the Chinese electronics firm Hangzhou after its web cameras were used in a massive web attack last week.
The attack knocked out sites such as Reddit, Twitter, Paypal and Spotify.
The Chinese government blamed customers for not changing their passwords.
Its legal warning was added to an online statement from the company Xiongmai, in which the firm said that it would recall products, mainly webcams, following the attack but denied that its devices made up the majority of the botnet used to launch it.
The cyber attack hit Dyn, a firm which matches IP addresses to web addresses to allow users to find sites online, on 21 October.
Afterwards, it became clear that it was made possible via a botnet made up of insecure “smart” devices, which had been taken over remotely and enlisted to bombard Dyn with data, knocking offline the sites it manages.
Krebs pointed out that it was difficult for users to change the default passwords on devices.
“Products from Xiongmai and other makers of inexpensive, mass-produced ‘internet of things’ devices are essentially unfixable,” he said, “and will remain a danger to others unless and until they are completely unplugged from the internet.”
Video surveillance equipment expert Brian Karas said he did not believe the Chinese government would follow through on its legal threats.
“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” he said.
Tomi Engdahl says:
Maybe the manufacturers should have read this:
Future-proofing the Connected World:
13 Steps to Developing Secure IoT Products
https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
Tomi Engdahl says:
Botnet Recall of Things
http://hackaday.com/2016/10/26/botnet-recall-of-things/
After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.
Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords.
Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.
Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords
Tomi Engdahl says:
Authorities have yet to identify suspects in the attack, but the Director of U.S. National Intelligence, James Clapper, said on Tuesday that an early analysis did not point to a foreign government.
Cyber intelligence firm Flashpoint concurred.
“The evidence that we have strongly suggests it is amateur, attention-motivated hackers,” said Allison Nixon, Flashpoint’s director of security research.
Nixon said the same infrastructure was used on Friday in an unsuccessful attempt to disrupt internet access to a major video game manufacturer, which she declined to identify.
U.S. Senate intelligence committee member Senator Mark Warner, a Democrat, sent letters on Tuesday asking DHS, the Federal Communications Commission (FCC) and Federal Trade Commission if they have adequate tools for combating the threat posed by “bot net” armies of infected electronic devices.
“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner said.
He asked FCC Chairman Tom Wheeler if communications providers have authority to deny internet access to electronics devices they deem insecure.
Source:
China’s Xiongmai to recall up to 10,000 webcams after hack
http://www.reuters.com/article/us-cyber-attacks-china-idUSKCN12P1TT
Tomi Engdahl says:
‘Non-state actors*’ likely to blame for Dyn mega-attack – US intel chief
Pesky kids
http://www.theregister.co.uk/2016/10/26/clapper-dyn-attack/
A senior US intelligence chief has said that “non-state actors” – bored kids or crooks* – are likely behind the high-profile attack on DNS provider Dyn last week.
A massive DDoS attack against Dyn resulted in multiple high-profile websites – including Twitter, Amazon and Netflix – to be unavailable last Friday. US director of National Intelligence James Clapper said that preliminary indications suggested that “non-state actors” rather than spies had launched the assault.
Clapper offered the assessment, which he hedged with caveats, in an interview with CBS television host Charlie Rose at the Council on Foreign Relations in New York.
Asked if the internet attack was done by a non-state actor, Clapper said: “Yes, but I wouldn’t want to be conclusively definitive about that yet,” adding, “That’s an early call.”
A group called New World Hackers has claimed responsibility for a DDoS attack. The same group previously took credit for a DDoS attack on the BBC late last year.
“We’ve had this disparity or contrast between the capability of the most sophisticated cyber actors, nation-state cyber actors, which are clearly Russia and China, but have to this point perhaps more benign intent,” Clapper said. “And then you have other countries who have a more nefarious intent. And then even more nefarious are non-nation-state actors,” he added.
Tomi Engdahl says:
Dyn Analysis Summary Of Friday October 21 Attack
http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Key Findings:
The Friday October 21, 2016 attack has been analyzed as a complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.
Dyn confirms Mirai botnet as primary source of malicious attack traffic.
Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.
Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers.
During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic.
For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.
Early observations of the TCP attack volume from a few of our datacenters indicate packet flow bursts 40 to 50 times higher than normal. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers. There have been some reports of a magnitude in the 1.2 Tbps range; at this time we are unable to verify that claim.
This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of “Internet of Things” (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet. As we have in the past, we look forward to contributing to that dialogue.
Tomi Engdahl says:
Dyn DNS DDoS Likely The Work of Script Kiddies, Says FlashPoint
https://news.slashdot.org/story/16/10/26/209205/dyn-dns-ddos-likely-the-work-of-script-kiddies-says-flashpoint
While nobody knows exactly who was responsible for the internet outrage last Friday, business risk intelligence firm FlashPoint released a preliminary analysis of the attack agains Dyn DNS, and found that it was likely the work of “script kiddies” or amateur hackers — as opposed to state-sponsored actors.
Dyn DNS DDoS likely the work of script kiddies, says FlashPoint
https://techcrunch.com/2016/10/26/dyn-dns-ddos-likely-the-work-of-script-kiddies-says-flashpoint/
Tomi Engdahl says:
Internet of S**t things claims another scalp: DNS DDoS smashes StarHub
‘Don’t buy rubbish Webcams’, carrier tells customers
http://www.theregister.co.uk/2016/10/27/starhub_dns_hosed_by_starhubs_customers_infected_kit/
StarHub in Singapore is the latest large network to get hammered with attacks on its DNS infrastructure – apparently by compromised kit owned by its customers.
In keeping with an emerging openness about what’s sending networks dark, it posted its troubles to Facebook.
Yesterday Singapore time, the company said it saw a spike in DNS traffic that knocked some home broadband customers offline, so it “immediately started filtering the unwanted traffic and added DNS capacity to manage the sudden and huge increase in traffic load.”
Its follow-up message attributed the traffic to an “intentional and likely malicious” DDoS, and while it knocked customers offline, it didn’t result in any compromise of customer information.
“These two recent attacks that we experienced were unprecedented in scale, nature and complexity. We would like to thank our customers for their patience as we took time to fully understand these unique situations and to mitigate them effectively”, StarHub says.
Tomi Engdahl says:
How many Internet of S**t devices knocked out Dyn? Fewer than you may expect
DNS really needs to be fixed if it can be taken out by 100,000 home devices
http://www.theregister.co.uk/2016/10/27/how_many_internet_of_st_devices_knocked_out_dyn_fewer_than_you_expect/
With more time to analyse its logs, DNS provider Dyn reckons about 100,000 Mirai-infected home web-connected gadgets knocked it out last Friday.
In its latest analysis, product executive veep Scott Hilton writes: “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
Dyn earlier said gizmos hiding behind “tens of millions” of IP addresses were responsible, although stressed the actual number of hijacked webcams, routers and other gear that overwhelmed its servers would be much less. Now we know it’s about 100 large, leaving us wondering: “How did the attack succeed?”
One reason, Hilton says, is that DNS itself can tend to amplify requests from legitimate sources: “For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.”
That “relay storm” provided “a false indicator of a significantly larger set of endpoints than we now know it to be”, Hilton explained.
The same effect led to early third-party reports of the scale of the attack traffic: “There have been some reports of a magnitude in the 1.2Tbps range; at this time we are unable to verify that claim.”
Tomi Engdahl says:
Cyber criminal will open new doors
Cyber criminal will be reached quickly attack new channels, but also the protection means to diversify.
IoT one side effect is that the cyber criminal opens the door speed increases. It is based on the fact that, for example, Gartner estimates that the number of devices on the network will triple by 2020.
In many device security is very weak level, or it may be missing altogether. Unprotected devices are the perfect tool for, among other things, denial of service attacks . In September, revealed a denial of service attack kept the world’s largest, with unconfirmed reports utilized by nearly 150 000 web camera and digital video recorder.
Targeted attacks, in turn, are carefully tailor-made operations designed to move in silence information of the organization’s internal network.
Services are becoming more common in the defense.
For example, operators provide a service that detects and automatically reduces denial of service attacks and malicious software, or filtering, for example.
Source: http://www.iltasanomat.fi/dna-business/art-2000001934678.html
Tomi Engdahl says:
IoT – And A Tear In The Fabric Of The Connected World
http://semiengineering.com/iot-and-a-tear-in-the-fabric-of-the-connected-world/
Network security is nothing new, but when it comes to the IoT will it be too little, too late?
Billions of connected things. Massive silicon consumption. Exponentially rising data volumes. Global compute farm build-out to make sense out of all of it. Lots of dollar signs. Everyone is talking about IoT with an optimistic view toward the future. There is a dark side to all this. Many, including yours truly have written about it. If you’re familiar with the Terminator series, you can call it Judgment Day. If you’re a Bruce Willis fan, you may be familiar with the term “fire sale” from Diehard 4.0.
These are references to Hollywood’s version of a grand-scale takeover of a pervasive network of devices. Which is exactly what IoT promises. Network security and IoT are not new. There is plenty of work going on to address this requirement. The question is – will it be too little, too late?
There’s also the question of who will pay for it. Robust security for a high-end router is one thing. But the same sophisticated protection for your wearable gadget, or even your thermostat is another thing. Demand for these products is very sensitive to price, so making them more expensive and more secure will probably not fly.
I’ve always believed that we’ll need some seminal “bad event” to make this problem real for everyone. This would be an unfortunate outcome, so I hope I’m wrong.
Right or wrong, we’ve recently seen an IoT security breach unfold in the national press. The headline was, “Who Took Down the Internet on Friday?” OK, some drama here for sure. There are over 1 billion websites on the internet, and a small fraction were affected by the denial of service attack on Friday. Twitter, Amazon, Spotify, PayPal, and CNN were among the sites affected, so that certainly does get attention.
Tomi Engdahl says:
What’s the Fix for IoT DDoS Attacks?
http://www.securityweek.com/whats-fix-iot-ddos-attacks
DynDNS (or just Dyn now) got blasted with #DDoS twice last Friday. Since Dyn is the major DNS provider for Twitter, Github, and Spotify, the knock-on effects have had a global reach.
But seriously, Dyn is a big provider, and their being offline has real impact. PagerDuty is one of the affected sites, and many people rely on alerts from their service. No one knows many details about the Dyn attacks yet.
No one has claimed responsibility, and Dyn has been somewhat quiet about the attack vectors, but has said that possibly 100,000 hijacked connected devices could have been used in the attack.
The attacks could be fallout from the Mirai IoT Botnet assault against Brian Krebs earlier this month. As Krebs himself notes, the attacks started within hours of a DynDNS researcher, Doug Madory, presenting a talk (video link here) at NANOG about DDoS attacks. Also, according to Krebs, the 620GB Mirai attack against krebsonsecurity.com came just hours after he and Madory released an article looking into some of the shady dealings in the DDoS-for-hire industry.
Of course everyone is wondering if the IoT botnet, Mirai, is playing a part in the Dyn attack. Even if it is, the attacker could be anyone, as the Mirai source code and helpful readme post were released to the world a week ago, and are still available on Github (if you can get there right now).
Nastier HTTP GET Floods
HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because hey, they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around some of their HTTP DDoS mitigation techniques (such as redirection).
DNS Water Torture
The Mirai bot includes a “water torture” attack against a target DNS server. This technique is different from the regular DNS reflection and amplification attacks as it requires significantly less queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target’s authoritative DNS server. In this attack, the bot sends a well-formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack is effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmit the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.
Tunneled Attacks
GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network-layer protocols inside virtual point-to-point links over an IP network. Ironically, GRE tunnels are often used by DDoS scrubbing providers as part of the mitigation architecture to return clean traffic directly to the protected target.
The Mirai botnet code includes GRE attacks with and without Ethernet encapsulation.
Updated Layer 4 Attacks
According to Mirai’s creator, the so-called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices.
So, Doc, is there a fix?
At a SecureLink conference last week in Brussels, Mikko Hypponen, Chief Risk Officer of F-Secure, was asked how the IoT botnet should be stopped. His answer was, while he himself is not a huge fan of more regulation, regulation will likely be the fix for IoT security. He pointed out that consumer devices are already regulated for safety and efficiency. No one wants their refrigerator exploding on them (or their smartphone, ahem). If only Internet security could be regulated like other manufacturing processes, we could solve this problem.
Best Practices for DNS?
One of the reasons DDoS attacks keep evolving is that defenders keep evolving as well. You can bet that by next week, companies will be doing a better job with DNS redundancy.
NANOG 68 BackConnects Suspicious BGP Hijacks
https://www.youtube.com/watch?v=LFJzu0AFDpU
Tomi Engdahl says:
. The security community began intense debriefing in the wake of last week’s DDoS attack on the internet infrastructure company Dyn, which was powered largely by an Internet of Things botnet. It turns out that most of the devices used to mount the attack weren’t consumer IoT devices in homes but enterprise products like webcams and DVRs built for commercial use. As everyone scrambles to figure out what to do about the sorry state of IoT security, some are looking to Internet Service Providers to help protect and shrink the existing population of vulnerable devices.
Source: https://www.wired.com/2016/10/security-news-week-ukrainian-group-leaks-emails-top-putin-aides/
Tomi Engdahl says:
Dyn’s massive attack: How startups can find opportunities in the chaos
http://venturebeat.com/2016/10/30/dyns-massive-attack-how-startups-can-find-opportunities-in-the-chaos/
The Internet of Things has turned against us. Just last week, baby monitors, DVRs, and other connected devices were used as the launching point for a DDoS attack against the DNS infrastructure of Dyn, impacting the services of Netflix, Paypal, Twitter and others. These are organizations that have invested heavily in cyber security defenses – and they were taken down by an army of $100 devices.
Earlier this month, the UK government banned the Apple Watch from all formal meetings and hearings. The new guidelines were issued in fear that hackers could break into the devices and use the microphone to listen to conversations as a means of cyber espionage.
These developments are clearly a wake-up call for the industry. For several years, security experts have discussed the threats posed by IoT, but it hasn’t become a mainstream conversation.
Many of the connected devices on the market today were designed to be low cost and/or have long-battery life. Security was not a high priority (or a priority at all) of product design. These devices do not constantly look for threats (assuming processor cycles and memory are available to run security software to begin with). And if a hacker can easily exploit your wireless device, they’re only one or two hops away from getting onto the corporate network or the Internet where they can do real damage. So with IoT, we have created an easily exploitable surface area that creates abundant opportunities for cybercrime and terrorism.
This is a call to action for security startups.
New product categories driven by the IoT threat:
The detection and profiling of all connected devices that can ultimately touch the network, regardless of their primary communication protocol. Today’s defenses are typically focused on Wifi-connected and wired devices, while the next generation threats may start on a Thing by communicating over Bluetooth, ZigBee, Z-Wave, or other standard or non-standard means. Identifying potential malicious devices is a first step to defending in this new frontier.
The monitoring and analysis of traffic generated by IoT devices. Understanding the malicious traffic before it can be “laundered” into the flow of legitimate traffic flowing over the network or Internet will be critical to strong defense.
Improvements in existing solutions:
Improvements in layered real-time detection and analytics in the network, with higher-precision AI-based knowledge to detect and block malicious IP traffic that was initiated on a Thing.
Next generation security information and event management (SIEM) that can better analyze all of the output of new middle point and existing solutions – the high volume of SIEM output noise generated today is already a problem for most users, and the flood of traffic potentially created by Things will make the problem even worse. The industry will need an evolution in SIEM intelligence to more accurately identify real-time threats posed by both existing connected systems and emerging Things.
Tomi Engdahl says:
What’s the Fix for IoT DDoS Attacks?
http://www.securityweek.com/whats-fix-iot-ddos-attacks
DynDNS (or just Dyn now) got blasted with #DDoS twice last Friday. Since Dyn is the major DNS provider for Twitter, Github, and Spotify, the knock-on effects have had a global reach. Here’s a rather comical exchange among typical users scratching their heads Friday morning:
@githubstatus: GitHub employee here. We’re monitoring an incident with our upstream DNS provider
reply @alfalfasprout [-] Hahahahaha you do realize Twitter is one of the affected sites, right?
But seriously, Dyn is a big provider, and their being offline has real impact.
No one has claimed responsibility, and Dyn has been somewhat quiet about the attack vectors, but has said that possibly 100,000 hijacked connected devices could have been used in the attack.
The attacks could be fallout from the Mirai IoT Botnet assault against Brian Krebs earlier this month.
Of course everyone is wondering if the IoT botnet, Mirai, is playing a part in the Dyn attack. Even if it is, the attacker could be anyone, as the Mirai source code and helpful readme post were released to the world a week ago, and are still available on Github (if you can get there right now).
One of the reasons DDoS attacks keep evolving is that defenders keep evolving as well. You can bet that by next week, companies will be doing a better job with DNS redundancy.
Note their use of multiple DNS providers. Could this be yet another example of “porn leads the Internet”?
Tomi Engdahl says:
Was IoT DDoS attack just a dry run for election day hijinks?
Internet of things influencing important things
http://www.theregister.co.uk/2016/11/08/was_iot_ddos_attack_just_a_dry_run_for_election_day/
Comment The distributed denial of service attack that took down DNS provider Dyn, and with it access to a chunk of the internet, was one of the largest such assaults seen.
The attack exploited Internet of Things devices – notably webcams built by XiongMai Technologies. The gadgets had default login passwords that allowed them to be infected with the Mirai botnet malware, which commandeered the gizmos to overwhelm Dyn’s servers.
The attack was claimed by New World Hackers, previously believed to have brought down sites run by the BBC, Donald Trump and NASA as well as Islamic State controlled websites and Twitter accounts. But the US Department of Homeland Security said it was not clear who was responsible but that investigations were continuing.
But even though this is one of the largest attacks seen to date, it has also raised fears that there is worse to come. The Mirai malware source code is now freely available for anyone to use to create massive botnets of vulnerable devices.
Most non-PC devices such routers, modems, cellular modems, digital video recorders and IoT sensors are almost perfect weapons for attackers – they don’t typically run antivirus software; they don’t get updated regularly or can’t be updated; and they are often left switched on 24-hours a day.
Even if IoT devices are deployed with security in mind, checking the hundreds or even thousands of individual devices used in a factory or office environment control system is a daunting task.
DDoS specialist Corero claims it has found a new DDoS vector which has an amplification factor of up to 55x. The company has only seen short duration attacks against a handful of its customers exploiting LDAP – the Lightweight Directory Access Protocol. One recent attack reach 70Gbps in volume, we’re told.
Easily infected IoT devices could be used to unleashed an LDAP-amplified attack on servers.
Dave Larson, chief technology officer at Corero Network Security, said: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison…With attackers combining legacy techniques with new DDoS vectors and botnet capabilities, terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”
Given the fevered and febrile atmosphere of the US presidential election, no one will be surprised if the next major assault is politically motivated.
Tomi Engdahl says:
Reader poll: Tell us your thoughts on securing vision systems against potential hacks
http://www.vision-systems.com/articles/2016/10/reader-poll-securing-your-vision-system-against-potential-hacks.html?cmpid=enl_VSD_VSDNewsletter_2016-11-09&[email protected]&eid=289644432&bid=1581782
Tomi Engdahl says:
Reader poll: Tell us your thoughts on securing vision systems against potential hacks
http://www.vision-systems.com/articles/2016/10/reader-poll-securing-your-vision-system-against-potential-hacks.html
In light of recent news that as many as one million Chinese security cameras and digital video recorders were hacked, we wanted to see how systems integrators and end users of machine vision and imaging technologies felt about this.
Tomi Engdahl says:
Russian banks hit by cyber-attack
http://www.bbc.com/news/technology-37941216
Five Russian banks have been under intermittent cyber-attack for two days, said the country’s banking regulator.
The state-owned Sberbank was one target of the prolonged attacks, it said.
Hackers sought to overwhelm the websites of the banks by deluging them with data in what is known as a Distributed Denial of Service (DDoS) attack.
Security firm Kaspersky said the attacks were among the largest it had seen aimed at Russian banks.
The data floods began on 8 November and have continued intermittently ever since, it added.
Most of the data deluges lasted about 60 minutes but the most persistent attack went on for almost 12 hours, the security firm said.
Sberbank
The names of the other banks that were hit have not been released but all are believed to be among the 10 biggest in Russia.
The hackers behind the DDoS attacks are believed to have generated the huge amounts of data by taking over smart devices such as webcams and digital video recorders that use easy to guess passwords.
Tomi Engdahl says:
Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls
http://www.securityweek.com/low-bandwidth-blacknurse-ddos-attacks-can-disrupt-firewalls
Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.
While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.
ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.
The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.
Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.
Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.
While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.
http://soc.tdc.dk/blacknurse/blacknurse.pdf
Tomi Engdahl says:
IoT devices used in DDoS attacks
https://www.ibm.com/blogs/internet-of-things/ddos-iot-platform-security/?WOW_IoT_Sense_Newsletter_11142016_Atest_Winner%20remainder&spMailingID=15901620&spUserID=MzA4MTM5MjU5ODgxS0&spJobID=903398463&spReportId=OTAzMzk4NDYzS0
On Friday 21 October, unknown hackers used Internet of Things (IoT) devices to launch three Distributed Denial of Service, or DDoS attacks on Dyn. Dyn is a company that provides internet services, among them a Domain Name Service (DNS).
A DDoS attack uses multiple computers and Internet connections to flood a targeted resource, making it very difficult and sometimes impossible for the target to operate. Dyn estimates that 10’s of millions of IP addresses were involved
How important is security for IoT?
Security is a significant topic of debate around the IoT, with concerns that it opens new avenues of attack by extending the scope of information technology to everyday connected devices and things. IBM believes that security is fundamental to how the IoT must operate to the extent that IBM have recently published a new whitepaper providing IBM’s point of view on IoT Security.
While unable to comment on individual cases, the DDoS attacks on Dyn highlights the need for everyone involved with IoT to consider security by design. Security for IoT should be built into IoT devices and software, from manufacturers to end-users. There is no doubt that IoT significantly expands the attack surface for enterprises and the scope of enterprise IT. Just as enterprises are used to addressing security in their IT infrastructure they must do the same for IoT solutions and products.
How can I increase the security of my IoT landscape?
IoT security will be a big topic at World of Watson in Las Vegas this week and we are bringing to market three new offerings to assist clients:
1. IoT Security Assessment services offering – IBM IoT and Security experts visit clients and advise on the end-to-end security of IoT solutions for clients and make recommendations.
2. IoT Security Intelligence services offering – this enables enterprises to understand IoT security events in real-time. These use behavior-based solutions which detect deviations from normal behavior patterns and recognize new attacks or security issues
3. Advanced Security capabilities in the Watson IoT platform – a security dashboard, giving operators visibility to potential vulnerabilities and exposures across the network; an alert system for immediate notification, enabling enterprises to respond IoT Security events by understanding them in real-time; a visual policy management for enterprises’ IoT landscapes, allowing automatic identification of security events in accordance with best-practice policies tailored to your IoT environment; the ability to integrate Watson IoT Platform with Blockchain for trusted IoT transactions among a group of parties, improving business efficiency and security.
IoT security: An IBM position paper
https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-9520&S_PKG=ov54480
Download this point of view which examines the security and privacy implications unique to a cognitive Internet of Things system. Leading edge Cognitive IoT research activities will be reviewed, addressing both challenges and opportunities. Best practices will be shared.
Tomi Engdahl says:
Disgruntled Gamer ‘Likely’ Behind October US Hacking: Expert
http://www.securityweek.com/disgruntled-gamer-likely-behind-october-us-hacking-expert
The hacker who shut down large parts of the US internet last month was probably a disgruntled gamer, said an expert whose company closely monitored the attack Wednesday.
Dale Drew, chief security officer for Level 3 Communications, which mapped out how the October 21 attack took place, told a Congressional panel that the person had rented time on a botnet — a network of web-connected machines that can be manipulated with malware — to level the attack.
Using a powerful malware known as Mirai, the attacker harnessed some 150,000 “Internet of Things” (IoT) devices such as cameras, lightbulbs and appliances to overwhelm the systems of Dynamic Network Services Inc, or Dyn, which operates a key hub in the internet, according to Drew.
The so-called distributed denial of service attack jammed up traffic routing the Dyn’s servers to major websites like Amazon, Twitter and Netflix for hours before the attack could be overwhelmed.
“We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge and rented time on the IoT botnet to accomplish this,” he said.
Drew said the ability of hackers to make use of mundane home electronics to mount such an attack signalled a huge new risk in the global internet circuitry.
He said IoT devices often have easily hackable passwords, including hard-wired passwords that owners cannot change.
“IoT devices also are particularly attractive targets because users often have little way to know when they have been compromised. Unlike a personal computer or phone, which has endpoint protection capabilities and the user is more likely to notice when it performs improperly, compromised IoT devices may go unnoticed for longer periods of time.”
Tomi Engdahl says:
Mirai Used STOMP Floods in Recent DDoS Attacks
http://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks
The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.
Mirai has been responsible for taking major websites offline for many users by targeting the Dyn DNS service, in addition to hosting firm OVH in attacks that surpassed 1Tbps (terabit per second). Mirai was also in an attack against Brian Krebs’ blog in a 665Gbps+ (gigabit per second) assault. The botnet uses various attack vectors to power these massive attacks, including STOMP floods.
Mirai’s source code was released online in early October, and researchers soon observed an uptick in its use for DDoS attacks. With over half a million IoT devices worldwide susceptible to Mirai infection because of their weak security credentials, it does not come as a surprise that the botnet has already expanded in over 164 countries around the world.
One of the contributors to Mirai’s success in the DDoS landscape is the use of floods of junk STOMP packets, which allow it to ultimately bring down targeted websites.
Imperva security researchers decided to take a deeper dive into the use of STOMP.
Designed as a simple application layer, text-based protocol, STOMP is an alternative to other open messaging protocols, including AMQP (Advanced Message Queuing Protocol). It allows applications to communicate with programs designed in different programming languages and works over TCP, the same as HTTP.
How Mirai Uses STOMP Protocol to Launch DDoS Attacks
https://www.incapsula.com/blog/mirai-stomp-protocol-ddos.html
The process can be broken down into the following stages:
1. A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
2. Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
3. The flood of fake STOMP requests leads to network saturation.
4. If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.
Interestingly, the recent attacks shared some similarities with the TCP POST flood we warned about several months ago. Both are attempts at targeting an architectural soft spot in hybrid mitigation deployments.
Each STOMP attack request is set to a default 768 bytes in Mirai’s source code. With a botnet containing more than 100K bots, it’s not difficult to achieve a high rate of attack in which an enterprise grade network having a 5–10Gbps burst uplink easily gets saturated.
Mitigating STOMP DDoS Attacks
Successfully mitigating a TCP STOMP attack is a matter of using a solution that is able to:
Identify malicious requests
Filter them out before they’re able to travel through your network
Identifying requests is typically a simple task. Most applications don’t expect to receive STOMP requests, meaning their mitigation providers can drop all junk traffic indiscriminately. Even when this isn’t the case, the predefined size of STOMP payloads makes them easy to spot and to weed out.
However, the real question that needs to be considered is, “Where exactly are such requests dropped?”
A hardware solution that terminates TCP on-prem allows malicious STOMP requests to travel through the network pipe. This may cause your network to struggle and even become unavailable—exactly what perpetrators are hoping for.
A cloud-based service, on the other hand, terminates TCP connections on edge. This means any such attack is blocked outside of your network and doesn’t saturate your uplink.
Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future.Their existence highlights the importance of off-prem filtering.
Tomi Engdahl says:
Moxa, Vanderbilt Surveillance Products Affected by Serious Flaws
http://www.securityweek.com/moxa-vanderbilt-surveillance-products-affected-serious-flaws
Surveillance products from Moxa and Vanderbilt are affected by several critical and high severity flaws that can be exploited by remote hackers to take control of vulnerable systems.
ICS-CERT has published an advisory describing three serious vulnerabilities affecting Moxa SoftCMS, a central management software designed for large-scale surveillance systems. Gu Ziqiang from Huawei Weiran Labs and Zhou Yu have been credited for finding the security holes.
The most severe of the flaws, with a CVSS score of 9.8, is a SQL injection (CVE-2016-9333) that can be exploited by a remote attacker to access SoftCMS with administrator privileges.
ICS-CERT said in its advisory that Moxa patched these security holes with the release of SoftCMS 1.6 on November 10, but the vendor’s release notes show that the latest version only addresses the SQL Injection issue.
Vulnerabilities in Siemens-branded Vanderbilt CCTV cameras
Siemens and ICS-CERT informed users that several Siemens-branded Vanderbilt IP cameras are affected by a vulnerability (CVE-2016-9155) that allows an attacker with network access to obtain administrative credentials using specially crafted requests. Updates have been released by Vanderbilt for each of the affected products.
Tomi Engdahl says:
Oracle acquires DNS provider Dyn, subject of a massive DDoS attack in October
https://techcrunch.com/2016/11/21/oracle-acquires-dns-provider-dyn-subject-of-a-massive-ddos-attack-in-october/
A timely, if a little surprising, piece of M&A this morning from Oracle: the enterprise services company announced that it has acquired Dyn, the popular DNS provider that was the subject of a massive distributed denial of service attack in October that crippled some of the world’s biggest and most popular websites.
Oracle plans to add Dyn’s DNS solution to its bigger cloud computing platform, which already sells/provides a variety of Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) products and competes against companies like Amazon’s AWS.
Tomi Engdahl says:
Dyn Dyn Dyn – we have a buyer: Oracle gobbles Internet of Things DDoS victim
Scoops up Twitter with A-list DNS customer list
http://www.theregister.co.uk/2016/11/21/oracle_buying_dyn/
Oracle is buying the internet infrastructure outfit whose A-list customers were struck by a global DDoS from internet-attached “things” in October.
The software giant is buying Dynamic Network Services (Dyn), a provider of services to speed up traffic.
Dyn’s platform controls and optimises applications and infrastructure through using analytics and routing. Financial terms were not disclosed.
Customers of the 15-year-old firm include Twitter, PayPal and Spotify.
It was these firms, along with others, who were on the receiving end of a global DDoS attack coming from hundreds of thousands of IoT devices in October.
Dyn said at the time that its data centres were being slammed with 40-50 times the normal incoming traffic from tens of millions of web addresses around the plant.
That meant traffic from such normally innocuous devices as webcams.
A “significant volume” of attack traffic came from botnets using Mirai, malware that targets Linux-based systems.
The attacks, Dyn said, “highlighted vulnerabilities in the security of ‘Internet of Things’ devices that need to be addressed”.
Big Red did not acknowledge the attack in announcing the purchase.
Tomi Engdahl says:
GET pwned: Web CCTV cams can be hijacked by single HTTP request
Server buffer overflow equals remote control
http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/
Tomi Engdahl says:
GET pwned: Web CCTV cams can be hijacked by single HTTP request
Server buffer overflow equals remote control
http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.
The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we’re told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnP to drill through to the public internet automatically via your home router.
Proof-of-concept code to exploit the vulnerable web server in the cameras can be found right here on GitHub.
It appears the exploited bug is thus: if the URL query string contains a parameter called “basic”, its value is copied byte by byte from the URL into a fixed a 256-byte buffer on the stack. If you send a query longer than 256 bytes, you overflow the buffer and start overwriting the stack. An attacker can do this to prime the stack with memory addresses to control the flow of execution.
Hang on, we’re not done yet: whoever crafted the firmware shared by all these devices modified the Goahead embedded web server and seemingly introduced the bug. According to Slip, more than seven internet-of-things CCTV camera vendors use the dodgy firmware.
The exploit’s author identified the following cameras as carrying the bug in their software:
UCam247′s NC308W and NC328W, Ucam247i/247i-HD, and 247i-1080HD/247-HDO1080 models.
Phylink’s 213W, 223W, 233W, 325PW and 336PW.
Titathink Babelens, TT520G, TT520PW, TT521PW, TT522PW, TT610W, TT620CW, TT620W, TT630CW, TT630W, TT730LPW and TT730PW (as Slipstream notes, it seems to be the entire product line, at least those still supported).
Any YCam device running firmware 2014-04-06 or later.
Anbash NC223W, NC322W and NC325W.
Trivision 228WF, 239WF, 240WF, 326PW, 336PW.
Netvision NCP2255I and NCP2475E.
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC.
https://gist.github.com/Wack0/a3435cafa5eb372b190f971190a506b8
Tomi Engdahl says:
IoT Botnets Are The New Normal of DDoS Attacks
https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/