Report: Mirai 'is just the tip of the iceberg'

News by Max Metzger

A new report from the Institute of Critical Infrastructure Technology has placed Mirai as one of the most insidiously profound threats of recent memory, offering a "quantum leap" to even unsophisticated attackers

Mirai is just the tip of the iceberg according to a new report by the Institute for Critical infrastructure technology.

The DDoS malware which has filled security headlines recently is a profound new intervention in the threat landscape, according to the authors Drew Spaniel and James Scott. Mirai, says the report, offers cyber-criminals, hacktivists and APTs, “an asymmetric quantum leap in capability”.

It's not, as one might expect, because of its sophistication or that it represents some kind of new weapon for which there is no counter defence, but because of its accessibility. Mirai malware offers a “powerful development platform” which can be tailored to even a relatively unsophisticated attacker's needs.

The report is stark in its conclusions: “right now, script kiddies and cyber-criminal gangs are already drastically expanding their control over vulnerable IoT devices, which are enslaved to malicious purposes and can be contracted in DDoS-for-Hire services by a virtually unlimited number of actors for use in an infinite variation of layered attack methods.”

One key reason behind the scale of this threat is the fact that anyone can build on it. An unsophisticated attack, with the right intentions, could build on Mirai to make a self-propagating worm: “if the capability to infect IoT devices with spreadable worms were built into the Mirai platform, the impact would be enormous.”

Graham Mann, MD of Encode Group UK told that he largely concurs with the reports conclusions, saying,  “this is a seed change in the way that Mirai provides a platform from which potentially devastating DDoS attacks can be initiated. Mirai and its derivatives will, I believe, be one of the defining threats in 2017.”

Mirai malware has clogged security headlines recently with a series of record-breaking attacks. It first made its presence known with a DDoS attack on investigative journalist and security expert, Brian Krebs' website. While that attack broke all previous DDoS records with a flood power of around 600 gbps, the next one would nearly double it.

Next in line was DNS service Dyn, which was DDoSed in October 2016 and resulted in internet outages to popular sites like Spotify, Twitter and Reddit. This time, a Mirai botnet brought over one terabyte of flood power to knock Dyn out. Over the coming weeks, Mirai would be seen in an attack which purportedly knocked the entire West African country of Liberia offline and implicated in attacks on several Russian banks.

Most recently, hundreds of thousands of customers of a variety of companies were subject to service outages across Europe.

The first to be hit were Deutsche Telekom customers, 900,000 of which experienced outages over the last weekend of December 2016. It was widely suspected, that this was a massive landgrab by a botmaster, using a variant of Mirai to go after the poorly secured routers those customers used to get online.

Later that week, when Post Office broadband and TalkTalk customers experienced similar problems, those suspicions only increased.

Amit Ashbel, cyber-security evangelist at Checkmarx told SC that Mirai throws threw the security of the IoT into sharp relief: “Security experts have brought up the concern of IoT vendors neglecting security more than once over the past years and Mirai has proved their concerns to be legitimate. Devices that have access to the internet and have remote access should be designed with security in mind and this starts with the most basic requirement, namely strict password enforcement.”  

He added, “Without the easy access into these devices Mirai would not have been so powerful."

Importantly, the malware builds its botnets through IoT devices: CCTV cameras,recorders and routers. Once Mirai infects a device, it scans for other vulnerable devices, attempts to guess its password from a library and once it successfully infects the device, starts the process again.

It leverages the fundamental problems of the IoT, that internet connected devices tend not to be all that secure. Often, security needs to be ensured by the users to whom it occurs as an afterthought, if at all. It has become a cliche within the industry that security is often an afterthought when it comes to manufacturing IoT devices.

Network security company, Corero recently released its 2017 predictions saying that not only will terabyte DDoS attacks become the new norm, but that next year may see a DDoS attack disrupt an entire country.

Part of the success of DDoS might be because of the ‘generosity' of the hacker community. Sean Newman, director at Corero Network Security, told SC that “hackers have been creating attack toolkits, and then sharing them for broader use, for years now - as DDoS continues its current resurgence, it is no surprise to find that the same is happening here.”

This is not the first time DDoS has leveraged the weaknesses of the IoT but the source code being made public is an important new step, Rick Holland vice president of strategy at Digital Shadows told SC: “We've already seen an evolution of both the code itself and the business models that look to exploit it for financial gain, and we would expect this evolution to continue over the next year. These developments can act as a force multiplier and offers new opportunities for hacktivists, DDoS extortionists and – to some extent – nation states. Mirai is yet another example of the barrier to entry to continuing to get lower.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews