The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

“So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”

Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

“The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”

Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.

Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.

They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.

Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.

The web attack enrolled thousands of devices that make up the internet of things – smart devices used to oversee homes and which can be controlled remotely.

In a statement, Hangzhou Xiongmai said hackers were able to take over the cameras because users had not changed the devices’ default passwords.

Xiongmai rejected suggestions that its webcams made up the bulk of the devices used in the attacks.

“Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

It has also pledged to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.

Could this happen again?

Yes, and it probably will. The smart devices making up the IoT are proving very popular with the malicious hackers who make their living by selling attack services or extorting cash by threatening firms with devastating attacks.

Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. Running such a network is hard and often machines had to be rented for a few hours just to carry out attacks. Now anyone can scan the net for vulnerable cameras, DVRs and other gadgets, take them over and start bombarding targets whenever they want.
Why should I care if my webcam is hijacked?

For the same reason you would care if your car was stolen and used by bank robbers as a getaway vehicle.

And because if your webcam, printer or DVR is hijacked you have, in effect, allowed a stranger to enter your home. Hackers are likely to start using these gadgets to spy on you and scoop up valuable data. It’s worth taking steps to shut out the intruders.

Can the IoT-based attacks be stopped?

Not easily. Many of the devices being targeted are hard to update and the passwords on some, according to one report, are hard-coded which means they cannot be changed.

There is also the difficulty of identifying whether you are using a vulnerable product. A lot of IoT devices are built from components sourced from lots of different places. Finding out what software is running on them can be frustrating.

Also, even if recalls and updates are massively successful there will still be plenty of unpatched devices available for malicious hackers to use. Some manufacturers of cheaper devices have refused to issue updates meaning there is a ready population of vulnerable gadgets available.

Why are these devices so poorly protected?

Because security costs money and electronics firms want to make their IoT device as cheap as possible. Paying developers to write secure code might mean a gadget is late to market and is more expensive. Plus enforcing good security on these devices can make them harder to use – again that might hit sales.

Who was behind the massive web attacks?

Right now, we don’t know. Some hacker groups have claimed responsibility but none of their claims are credible.

Withering cyberattacks on server farms of a key internet firm repeatedly disrupted access to major websites — including SILive.com — and online services including Twitter, Netflix and PayPal across the United States on Friday.

The White House called the disruption malicious and a hacker group claimed responsibility, though its assertion couldn’t be verified.

Manchester, New Hampshire-based Dyn Inc. said its data centers were hit by three waves of distributed denial-of-service attacks, which overwhelm targeted machines with junk data traffic.

“What they are actually doing is moving around the world with each attack.”

The data flood came from tens of millions of different Internet-connected machines — including increasingly popular but highly insecure household devices such as web-connected cameras.

Dyn provides services to some 6 percent of America’s Fortune 500 companies

Members of a shadowy collective that calls itself New World Hackers claimed responsibility for the attack via Twitter. They said they organized networks of connected “zombie” computers called botnets that threw a staggering 1.2 terabits per second of data at the Dyn-managed servers.

“We didn’t do this to attract federal agents, only test power,”

The collective, @NewWorldHacking on Twitter, has in the past claimed responsibility for similar attacks against sites including ESPN.com in September and the BBC on Dec. 31. The attack on the BBC marshaled half the computing power of Friday’s onslaught.

The collective has also claimed responsibility for cyberattacks against Islamic State.

the incident was an example of how attacks on key junctures in the network can yield massive disruption.

Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.

The first attack started on Friday at 7 am ET and it took the DNS provider roughly two hours to mitigate it. During this time, users directed to the company’s DNS servers on the east coast of the U.S. were unable to access several major websites, including Twitter, Reddit, GitHub, Etsy, Netflix, PagerDuty, Airbnb, Spotify, Intercom and Heroku.

A few hours later, a second, more global attack led to some users having difficulties in accessing the websites of Dyn customers. This second attack was mitigated within an hour. A third attack attempt was also detected, but it was mitigated before impacting users.

Dyn Chief Strategy Officer Kyle York pointed out in a blog post that the company “did not experience a system-wide outage at any time.”

Akamai and Flashpoint have confirmed that the attacks leveraged Mirai botnets and Dyn said it had observed tens of millions of IPs involved in the incident.

Dyn Statement on 10/21/2016 DDoS Attack
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

It’s likely that at this point you’ve seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We’d like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.

I also don’t want to get too far into this post without:

1. Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.
2. Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.
3. Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet

After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET.

News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.

Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.

Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.

Hajime: Analysis of a decentralized internet worm for IoT devices
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf

Just last month Brian Krebs wrote “What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale,” warning that countless ISPs still weren’t implementing the BCP38 security standard, which was released “more than a dozen years ago” to filter spoofed traffic. That’s one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen:
PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding…

“We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure.” I

Is the best solution technical or legislative — and does it involve hardware or software?

Comments:

Why not both?

Why is it so hard to grasp the concept that both a problem and a solution can be more than ONE THING?

Technical measures that prevent address spoofing are quickly becoming obsolete anyway; AFAICT, the recent attacks on Krebbs and Dyn, the two biggest DDoS attacks ever, didn’t use spoofed source addresses. A spoofed address is only useful in an amplification attack, where you send a small request which provokes a much larger response; then if you don’t spoof the source address, you get a huge firehose of responses coming at you and it’s you that gets DDoSed, not the target.

In this case, the attackers didn’t bother spoofing source addresses, because they didn’t use an amplification attack; they just used a huge botnet all making ostensibly-valid requests and each device dealing with the response individually. It looks like the only way we have of preventing this sort of attack is to make the devices secure – easier said than done.

As most of this traffic was “genuine”, i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it’s hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.

The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.

Quite literally “please block anything from these IP’s or traffic that matches this pattern”.

But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.

“Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list, tweeted Trend Micro’s Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras.

Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.

If you’re worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices.

I can just see some review board at DHS

‘Wait, you mean to tell me a TOASTER RUNNING JAVA DID THIS ? ‘

‘No sir, it wasn’t JUST the toasters this time, it was the Refrigerators AND the Washing Machines.’

‘Those Maytag’s – they can really network together’.

Ugh if this was oversight by China.

Ugh if not.

Chinese firm admits its hacked products were behind Friday’s DDOS attack
Botnets created from the Mirai malware were involved in the cyberattack
http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html?nsdr=true

A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.

Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.

According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage.

“Mirai is a huge disaster for the Internet of Things,” Xiongmai said in an email to IDG News Service. “(We) have to admit that our products also suffered from hacker’s break-in and illegal use.”

Mirai works by enslaving IoT devices to form a massive connected network. The devices are then used to deluge websites with requests, overloading the sites and effectively taking them offline.

Because these devices have weak default passwords and are easy to infect, Mirai has been found spreading to at least 500,000 devices, according to internet backbone provider Level 3 Communications.

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
http://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

“The issue with these particular devices is that a user cannot feasibly change this password,”

The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.