Lizard Squad's LizardStresser botnet is being used by a growing number of threat actors as the botnet-du-jour for enslaving Internet of Things (IoT) devices for later use in DDoS attacks.
Arbor Networks' ASERT group has found the number of command-and-control servers unique to LizardStresser has increased during 2016 with cyber-criminals managing to break into IoT devices primarily by using the unit's default password. This has enabled these gangs to assemble huge botnet armies capable of launching massive attacks.
“Utilizing the cumulative bandwidth available to these IOT devices, one group of threat actors has been able to launch attacks as large as 400GBps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions,” wrote Matthew Bing, Arbor Networks' threat intelligence and response manager.
Lizard Squad released LizardStresser's source code in 2015 with the express purpose of enabling such DDoS attacks.
The go-to IoT device for these attacks has been webcams, Kirk Soluk, threat intelligence and response manager at Arbor Networks, told SCMagazine.com in an email, noting that, unlike a smartphone, most people do not directly interact with a webcam leaving it vulnerable. For the same reason, most victims don't even know that their webcam has been recruited into a botnet army.
“While smartphones certainly have their security issues, it's worthwhile noting that they typically aren't running with remote management protocols using default usernames and passwords,” Soluk said.
When it comes to compromising IoT devices, LizzardStresser uses a straightforward approach. Soluk said telnet brute forcing is the preferred method with LizardStresser pinging random IPs looking to make a telnet connection. Once this is accomplished it has a hardcoded list of usernames and passwords and uses these to try and login. When successful, the device is connected to the command-and-control server.
By casting such a wide net, it enables the adversary to generate as much bandwidth as possible for the eventual DDoS attack.
The large 400GBps attack was launched by what ASERT believes to be a Brazilian group that used several thousand devices, primarily located in Vietnam and Brazil. This group was also responsible for hitting several Brazilian targets, including two large banks, two telecoms and two government agencies. However, the group has also operated in the northern hemisphere attacking three large gaming companies in the United States.