In their report titled “Rise of the Machines”, James Scott, ICIT senior fellow, and Drew Spaniel, researcher from the ICIT said: “The perfect storm is brewing that will pummel our Nation's public and private critical infrastructures with wave upon wave of devastating cyber-attacks.”
The report issues a stark warning: “Mirai malware offers malicious cyber-actors an asymmetric quantum leap in capability; not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimised and customised according to the desired outcome of a layered attack by an unsophisticated adversary.”
Despite this, the release of the malware according to security vendor Digital Shadows isn't what it might seem but it is apparently a godsend for DDoS-extortionists.
Many of those claims became a reality in 2016.
Europol kicked off the year by bringing down DD4BC, a gang operating a DDoS-as-a-service racket. The group attacked over 140 companies since its emergence in 2014.
That was just the beginning. Later on in the year, IT security researcher Brian Krebs blogged about another such gang from Israel, vDOS, who got caught because of a PoodleStresser security vulnerability in its website which allowed for a database of their thousands of customers to be stolen. Eventually their members' identities were revealed.
Shortly after, gangs blasted Krebs' website with a record-busting 620Gbps attack. Krebs wrote at the time, “many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service. I can't say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.”
Akamai later dropped Krebs from its protection. SCMediaUK.com spoke to Robert Morton, director of PR for Akamai, who confirmed that as Brian Krebs's website was being hosted pro-bono, and although it wasn't easy, they had to make the business decision to prioritise paying customers.
“Size was definitely a factor” which made Akamai reconsider hosting the website. Recognising the impression this gives, that Akamai gave in and “the criminals have won”, Morton said that, “for the days we were protecting him, his website stayed up”.
Roughly a week after this incident on Sep 30th 2016, user ‘Anna-Senpai' released the source code to the Mirai botnet on HackForums, claiming it could pull in over 380k IoT devices, all thanks to its use of a list of 60 default credentials which device-owners commonly forgot to change.
Mark James, security specialist at ESET commented, “we will almost certainly see a surge in DDoS activity due to the release of this source code, if not for specific reasons than people having ‘a play' with the code to see what it does.”
The plot thickened as European web hosting company OVH confirmed it was suffering a DDoS nearer to 1Tbps. Mickael Delcroix, press officer for OVH, said that the company had developed a new VAC able to clean up 5Tbps of traffic in response to this.
OVH's CTO Octave Klaba confirmed on Twitter that the simultaneous DDoS attacks came close to 1Tbps and said that the DDoS network carrying out the attack contained over 145,000 DVR cameras capable of sending a DDoS of greater than 1.5Tbps.
Security researcher, and former Lulzsec member, Mustafa Al-Bassam called it, “the largest DDoS attack ever recorded.”
A week later, the same botnet attacked Dyn, a DNS provider which supplies their services to websites like Spotify, Reddit, CNN and Netflix. Mainstream news coverage called the DDoS attack as the biggest of its kind.
Explaining the attack, Igal Zeifman, security evangelist at Imperva said: “the attack on Dyn is what is known as a DNS flood DDoS attack where attackers focus on the name servers to prevent web addresses from resolving. The attack is akin to cutting off the telephone network prior to an invasion to prevent communication.”
Many in the security industry worried that critical infrastructure could be crippled by a botnet. Marc Gaffan, vice president and GM at Imperva said: "DNS infrastructure is a key component of making the internet work, and the large DNS providers have invested heavily in protecting their systems from such attacks. However, with the significant increase in attack sizes over the past 18 months, now often surpassing bursts of half a Terabit per second, many infrastructure and SaaS providers are looking to beef up their overall capacity and DDoS mitigation measures."
The same botnet software was responsible for these attacks. Security vendor Flashpoint noted that while “Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH.” According to Brian Krebs, many of the attacks which followed were copycat attacks.
Mirai didn't stop there, a Mirai botnet went on to attack Deutsche Telekom routers. The connectivity issues appear to have affected approximately 900,000 customers using Speedport W 921V or Speedport W 723V Type B routers.
The security community set about finding a solution to the problem. Stephen Gates, chief research intelligence analyst at NSFOCUS said “the solution to this is simple. Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered”.
He added, “soon we may see DDoS attacks that are capable of taking down major portions of the internet, as well as causing brownouts, creating intolerable latency, or making the internet unusable. This is all collateral damage caused by a failure of good judgment by using the same factory default passwords on IoT devices in the first place”.
Shortly after, Xiongmai, a Chinese electronics firm initiated a product recall, as the root of the series of record breaking DDoS attacks, was believed to be a network of hacked Internet of Things devices.
Security researchers accused Xiongmai of releasing products with basic security vulnerabilities, such as the inability to set a password on some forms of connection. This is the reason which hackers were able to combine them into the Mirai botnet, a large network of hacked IoT devices consisting of millions of devices.
Xiongmai said it plans to, “strengthen security on the devices and send users a patch for products made before April last year.”
The company said the biggest issue was users not changing default passwords, and added that overall, its products were well protected from cyber-security breaches.
Xiongmai also claimed that reports which say its products made up the bulk of those targeted in the attack are incorrect. The company statement said: “Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
So how much are manufacturers like Xiongmai responsible for this issue of unsecured IoT devices? Mark James, security specialist at ESET said: “I don't think Xiongmai could be held liable for this attack, but they obviously recognise a concern here and are making good steps in the right direction by recalling products that may have been affected. Hopefully other manufacturers will follow suit and take a look at what they can do to increase security of their own products.
James added, “It seems these days that security takes a back seat, low cost affordable mass consumer use seems to be the preferred option and it has to change if we want a safer environment for our digital presence.”
Governments are asking questions too. The US Department of Commerce has released a paper on the IoT following a public request for comments in April. The paper attempts to summarise what a large number of companies, advocacy groups and interested individuals said with respect to what the key issues surrounding IoT are.
This paper concluded, among other things that the government needs to decide who is in charge. The report notes that "coordination among US Government partners would be helpful. While the internet of things offers some unique possibilities, the existing systems and processes should be sufficient to handle any new challenges.”
The paper agrees there is a need to accurately define what IoT actually is: “This green paper will continue to use the term Internet of Things as an umbrella term to reference the technological development in which a greatly increasing number of devices are connected to one another and/or to the Internet." There was also an agreement that it would be useful to put IoT into several buckets, such as industrial and consumer.
The DoC is looking to "continue to encourage the adoption of IPv6 through its ongoing efforts to enhance standards profiles, support measurement and testing infrastructures, and foster multistakeholder collaboration”.
Finally, the US government was told to resist the urge to regulate things, especially when it's still largely up in the air. The DoC appears to agree.
Overall, experts have agreed 2017 and beyond is likely to bear witness to bigger and more sophisticated DDoS attacks, some of which will be helped, perhaps counterintuitively, by the Mirai malware.
Dave Larson, CTO/COO at Corero Network Security said: “Following the significant new high-volume attacks experienced in 2016, botnet-driven DDoS attacks will be the biggest security threat for 2017. In the year ahead, we will likely see Terabit-scale, multi-vector DDoS attacks becoming the new normal, with the potential to knock entire countries offline. Our entire digital economy depends upon access to the Internet, and so organizations should think carefully about business continuity in the wake of such events.”Security vendor Sophos agrees: “Destructive DDoS IOT attacks will rise. In 2016, Mirai showed the massive destructive potential of DDoS attacks as a result of insecure consumer IoT devices. Cyber-criminals will find it easy to extend their reach because there are so many IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities.”