Recorded Future, a security company that specializes in machine-based threat intelligence, published information this week about a new IoT botnet, a variant of Mirai, which was the culprit behind a series of DDoS attacks on financial services companies earlier in 2018.
After the Mirai source code was released online in October 2016, variants have continued to appear, including IoTroop and Reaper.
“We have seen a lot of variants of that specific piece of malware — malware that infects IoT devices and pulls them into a botnet. What we haven’t seen since then is those botnets used in DDoS attacks,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future.
“This attack in January, to our knowledge anyway, is the first time a large IoT botnet based on Mirai was used to target the financial sector,” she added.
The three attacks that the Mirai variant carried out all took place on January 28th, 2018. They targeted three different companies in the financial sector based in the Netherlands, all global Fortune 500 firms. The first company experienced a DNS amplification attack with traffic volumes peaking at 30Gb/s and utilized at least 13,000 hijacked IoT devices. The exact volume of the following two attacks remains unclear. Even though these numbers are dwarfed by the recent massive terabit DDoS attacks, they can still cause significant damage for the companies targeted, both in the short-term and longer term.
Recorded Future identified seven specific IP addresses used by the controllers for the new Iot botnet, which according to Moriuchi, has been “relatively rare for the botnet”. Moriuchi said that Recorded Future had deployed a mixture of third-party metadata and open source intelligence to make their assessment. They were able to track IP geolocations and service banners using Shodan, the search engine for Internet-connected devices.
The use of IoTroop code has made the latest Mirai variant even more potent as it allows the malware to be updated whenever the attacker wants. “[IoTroop] was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available,” researchers said.
Recorded Future issued a series of recommendations for users of IoT to guard against their device being taken over by an IoT botnet:
- Change default manufacturer passwords following purchase.
- Update the firmware for devices, even those you do not frequently use.
- For systems that require remote access, invest in a VPN.
- Disable unnecessary services on IoTs and close ports that the device does not require for service.
“It will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks,” the researchers said.