Hacked Internet of Things (IoT) devices are powering massive botnets and cybercriminals are offering DDoS attacks as a service. 900,000 XyXEL routers bought Deutsche Telekom users down last week.
Let’s start with IoT – essentially it is anything that connects to the Internet apart from a computer. That includes Wi-Fi routers, security cameras, thermostats, home appliances to sensors used in industrial and manufacturing applications.
IoT is inherently insecure - a lack of standards, operating systems, embedded passwords, and manufacturer’s backdoors make it so. For example, a team of security experts hacked 12 of 16 most common Bluetooth smart locks used in the USA. Smart thermostats, security cameras and kids toys have also been hacked.
All IoT devices have some capability to send email alerts, or access the internet to upload data and receive instructions and that is why access to them is sought after by hackers. According to Motherboard two hackers have created a new powerful zombie army of hacked IoT devices for rent to launch DDoS attacks.
{loadposition ray}
The hackers claim to have improved on the Mirai “virus” enabling it to troll the internet, find insecure devices, and bring them into the botnet. They now have over 1 million devices under control.
“The original Mirai was easy to take, like candy from this kids,” the hacker, who calls himself BestBuy, told Motherboard in an online chat, referring to other competing hackers, who’ve been fighting in an online turf war to control vulnerable devices in the last few weeks.
Flashpoint puts the figure at around 5 million devices as the new Mirai virus finds more targets. It says while the original Mirai propagated over TCP/23 (Telnet) and TCP/2323 and leveraged default usernames and passwords, this new variant of Mirai utilizes the TR-064 and TR-069 protocols over port 7547 and exploits a known vulnerability to gain control of devices.
Flashpoint says it was used to take down 900,000 routers on the Deutsche Telekom network last week. It says infected devices have been found in the following countries: United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina, Italy, and Germany.
Though the number of infected devices is currently unknown some estimates put the total number of devices with port 7547 open at around 41 million, and devices that allow non-ISPs access to provisioning networks number up to five million. If even a fraction of these vulnerable devices are compromised they would add considerable power to an existing botnet.
While almost all ADSL routers have port 7547 open most of the ones used on Deutsche Telekom were supplied by ZyXEL. It has responded that, “It is aware of the issue and assures customers that it is handling it with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers.”
If that is really the issue then the world needs to worry – ZyXEL uses Broadcom chips as used in most brands and models of routers and provide TR-069 remote ISP management as standard.
Part of the problem is that the consumer routers have been incorrectly configured, says Johannes Ullrich, dean of research at the SANS Institute of Technology. The attacks exploited a software vulnerability via a remote administration setting usually restricted to ISPs.
"These remote admin protocols are supposed to use authentication and access restrictions but it appears they are not implemented correctly,” he says. Ullrich says he hopes the attacks will serve as a wake-up call for ISPs, but, "There are likely many so far unknown vulnerabilities left in the various implementations of these remote admin protocols."
Tod Beardsley, senior security research manager at Rapid7, said “While we have been warning about crummy routers and switches at home for years and years, I wasn't expecting to see the Mirai botnet become this IoT attack platform. It turns out it's a pretty decent platform for subbing in new attacks for old ones. A lot of these modems are rebranded by ISPs."
In the US, a DDoS attack was identified on Thanksgiving Eve and over the Black Weekend sales involving involved 400Gbps attacks for hours on end. Within 24 hours the attacks became 24/7.