An Arbor ASERT Team researcher spotted threat actors actively updating and customising the Mirai botnet source code that was leaked less than two weeks ago.
The firm's principal engineer Roland Dobbins noted relatively high concentrations of Mirai nodes which were observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain that included updates to remove erroneous Mirai bot backdoor reference, added Dyn post-mortem link, and refined descriptive verbiage, according to a 26 October blog post.
Dobbins said multiple threat actor groups are working to expand and improve the botnet's DDoS attack capabilities, all of which could have collateral impact that can can cause significant network performance issues or outages for broadband access network operators.
He went on to say that cyber-crooks updates may also significantly increase the rate of scanning for vulnerable systems, which could lead to an inadvertent DDoS attack on scanned/scanning systems and networks.
“It is possible (and recommended) for network operators to actively scan for both vulnerable and compromised IoT devices on their networks and the networks of their customers, and then take steps to isolate those devices, notify their legitimate owners of the problem, and urge them to take corrective action,” Dobbins said in the post.
He also recommended in the post that network operators identify likely compromised IoT devices by detecting and classifying outbound/crossbound TCP/23 and/or TCP/2323 activity originating from these devices, and then take steps to isolate those devices, notify their legitimate owners of the problem, and urge them to take corrective action.
“For that reason DNS amplification attacks are actually easier to deflate as all uninitiated DNS responses are highly suspect and could be filtered on-edge, without any impact on the regular traffic flow,” Gayer said via emailed comments. “For example, one could categorically drop all unexpected DNS responses to port 53.”
He went on to say that this however, isn't the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level.