The Reaper botnet, also known as IoTroop, a variant of Mirai, has been linked to a recent spate of DDoS attacks on three financial institutions in the Netherlands.
The three DDoS attacks that Reaper likely carried out took place on January 28th, 2018 on three different companies in the financial sector, all thought to be global Fortune 500 firms. The attack on the first company was a DNS amplification attack with traffic volumes peaking at 30Gb/s. The exact volume of the subsequent two attacks is currently unclear.
Research by Recorded Future’s Insikit Group published earlier this week suggests that the Reaper botnet was potentially behind the three attacks. The researchers said their assessment was based on third-party metadata and open source intelligence. Insikt Group said that if Reaper or IoTroop is indeed behind the attack, “it may be the first time… [since it was] used to target victims since it was initially identified last year”.
Reaper is a powerful Internet of Things (IoT) botnet mainly made up of compromised home routers, DVRs, TVs and IP cameras exploiting vulnerabilities in many different brands, including GoAhead, MikroTik and Ubiquity. It has been observed in the past year, but until now has not led to any sizeable attacks.
The size of the attack on the first company at 30 Gb/s is negligible in comparison to the recent 1.7 Tbps attack, which was some fifty times larger; however, it could still cause significant damage for companies who don’t have adequate DDoS mitigation in place.
The Reaper botnet is thought to have been built off Mirai’s code, which was publicly released in late 2016. Many copycats and variants then developed, including the more aggressive and advanced Reaper malware.
Priscilla Moriuchi, who co-authored the report told ZNet, “This botnet is different than Mirai in composition and exploitation vector, likely compromising new bots based on vulnerabilities and not via unchanged administrator credentials”.
Reaper, unlike Mirai, has become a large botnet capable of running complex attack scripts to exploit flaws in the code of vulnerable devices, which can make it challenging to detect infections and thus mitigate the botnet adequately.
Netlab said the botnet had around 28,000 infected devices linked to one of the botnet’s controllers as of its discovery in October of last year – and was mushrooming in size.
Moriuchi said that the extent of financial damage caused by the three recent DDoS attacks was unknown, however, at least one of the companies saw its customer services temporarily disrupted.
“It will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks,” the researchers said.