Reuters recorded that up to 10,000 webcams will be recalled in the aftermath of a cyber attack that blocked access recently to some of the world's biggest websites, from the Chinese manufacturer Hangzhou Xiongmai Technology Co. In Washington, a member of the U.S. Senate Intelligence committee asked three federal agencies what steps the government can take to prevent cyber criminals from compromising electronic devices. Courtesy: Alien Vault
IoT devices have proliferated at a rapid pace, and anyone that controls them can wield significant power. This came into full display on September 20, 2016 when the Mirai botnet launched a record DDoS attack, estimated at around 620Gbps in size, inevitably taking (right) the Krebs on Security website offline. But this appears to be just the beginning of IoT-based attacks, as the source code for Mirai has now been published online.
The IoT Security Challenge
The challenge with IoT devices is that not only are they often insecure by design, they also lack the options to apply patches or upgrade. Enterprises deploying IoT devices may spend the time needed to change default credentials, place the devices in a segregated network zone, or otherwise harden their systems – but consumers are highly unlikely to implement any such measures.
Mirai Botnet, Tip of the IoT Iceberg
The Mirai botnet is malware designed to take control of the BusyBox systems that are commonly used in IoT devices. BusyBox software is a lightweight executable capable of running several Unix tools in a variety of POSIX environments that have limited resources, making it an ideal candidate for IoT devices. It appears the DDoS attacks of October 21 have been identified as sourced from XiongMai Technologies IoT equipment.
IoT devices have proliferated at a rapid pace, and anyone that can take control of them can wield significant power. This power came fully into display on September 20, this year, when the Mirai botnet launched a record DDoS attack, estimated at around 620 Gbps in size, inevitably taking down the Krebs on Security website offline. But this appears to be just the beginning of IoT-based attacks, as the source code for Mirai has been published online.
Opening Pandoras Linux Box
With the Mirai source code published, and no plan in place to patch or otherwise protect vulnerable IoT devices, it was inevitable that the source code would be used out of curiosity and also for malicious purposes. AlienVault labs team have analysed the source code and developed signatures to detect Mirai activity. With the data in Open Threat Exchange (OTX), the team was able to see a significant spike in Mirai activity after the source code went live, both in terms of how many times the signature was hit, and in the number of affected devices. IoT device security has been spoken about, even joked about for some time, with IoT manufacturers overwhelmingly choosing convenience, and neglecting to heed security warnings. Mirai botnet has given the first real glimpse into the power of an IoT botnet and the damage that can be done.
With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider building in fundamental security principles into their designs, and avoiding the use of default credentials. Until IoT devices have secure options, they will continue to feature prominently at the forefront of cyber security attacks.
You can find IOC’s related to the Mirai infrastructure in Open Threat Exchange: It's free to join OTX, and the platform offers an API to integrate Indicators of Compromise (IoC's) into other security controls. Alien Vault includes this integration and alerts you when (Inversion of control) IoC's from OTX are detected in your environment.