Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data
Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.
On September 20, 2016, Brian Krebs' security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1 (link is external)] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2 (link is external)] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs' website.[3 (link is external)]
In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4 (link is external)]
The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5 (link is external)] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.
In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6 (link is external)] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7 (link is external)]
With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization's communications or cause significant financial harm.
Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary's collection point in a back-end application.
In late November 2016, a new Mirai-derived malware attack actively scanned TCP port 7547 on broadband routers susceptible to a Simple Object Access Protocol (SOAP) vulnerability. [8 (link is external)] Affected routers use protocols that leave port 7547 open, which allows for exploitation of the router. These devices can then be remotely used in DDoS attacks. [9, 10 (links are external)]
Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.
Mitigation
In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:
Preventive Steps
In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:
This product is provided subject to this Notification and this Privacy & Use policy.