U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:
TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets [
https://www.us-cert.gov/ncas/alerts/TA16-288A ] 10/14/2016 07:59 PM EDT
Original release date: October 14, 2016
Systems Affected
Internet of Things (IoT)ùan emerging network of devices (e.g., printers,
routers, video cameras, smart TVs) that connect to one another via the
Internet, often automatically sending and receiving data
Overview
Recently, IoT devices have been used to create large-scale botnetsùnetworks of
devices infected with self-propagating malwareùthat can execute crippling
distributed denial-of-service (DDoS) attacks. IoT devices are particularly
susceptible to malware, so protecting these devices and connected hardware is
critical to protect systems and networks.
Description
On September 20, 2016, Brian KrebsÆ security blog (krebsonsecurity.com) was
targeted by a massive DDoS attack, one of the largest on record, exceeding 620
gigabits per second (Gbps).[1 [
https://krebsonsecurity.com/2016/09/krebsonse... ]] An
IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware
continuously scans the Internet for vulnerable IoT devices, which are then
infected and used in botnet attacks. The Mirai bot uses a short list of 62
common default usernames and passwords to scan for vulnerable devices. Because
many IoT devices are unsecured or weakly secured, this short dictionary allows
the bot to access hundreds of thousands of devices.[2 [
https://nakedsecurity.sophos.com/2016/10/05/m...
om-krebs-ddos-attack-goes-open-source/ ]] The purported Mirai author claimed
that over 380,000 IoT devices were enslaved by the Mirai malware in the attack
on KrebsÆ website.[3 [
https://www.pcworld.com/article/3126362/secur...
-attack-is-now-available-to-all-hackers.html ]]
In late September, a separate Mirai attack on French webhost OVH broke the
record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits
per second (Tbps), and may have been as large as 1.5 Tbps.[4 [
http://arstechnica.com/security/2016/09/botne...
er-internets-biggest-ddos-ever/ ]]
The IoT devices affected in the latest Mirai incidents were primarily home
routers, network-enabled cameras, and digital video recorders.[5 [
http://www.darkreading.com/denial-of-service-...
sed-/d/d-id/1327086 ]] Mirai malware source code was published online at the
end of September, opening the door to more widespread use of the code to create
other DDoS attacks.
In early October, Krebs on Security reported on a separate malware family
responsible for other IoT botnet attacks.[6 [
https://krebsonsecurity.com/2016/10/source-co...
]] This other malware, whose source code is not yet public, is named Bashlite.
This malware also infects systems through default usernames and passwords.
Level 3 Communications, a security firm, indicated that the Bashlite botnet may
have about one million enslaved IoT devices.[7 [
http://blog.level3.com/security/attack-of-thi... ]]
Impact
With the release of the Mirai source code on the Internet, there are increased
risks of more botnets being generated. Both Mirai and Bashlite can exploit the
numerous IoT devices that still use default passwords and are easily
compromised. Such botnet attacks could severely disrupt an organizationÆs
communications or cause significant financial harm.
Software that is not designed to be secure contains vulnerabilities that can be
exploited. Software-connected devices collect data and credentials that could
then be sent to an adversaryÆs collection point in a back-end application.
Solution
Cybersecurity professionals should harden networks against the possibility of a
DDoS attack. For more information on DDoS attacks, please refer to US-CERT
Security Publication DDoS Quick Guide [
https://www.us-cert.gov/sites/default/files/p...
df ] and the US-CERT Alert on UDP-Based Amplification Attacks [
https://www.us-cert.gov/ncas/alerts/TA14-017A ].
*"Mitigation"*
In order to remove the Mirai malware from an infected IoT device, users and
administrators should take the following actions:
* Disconnect device from the network.
* While disconnected from the network and Internet, perform a reboot. Because
Mirai malware exists in dynamic memory, rebooting the device clears the
malware.
* Ensure that the password for accessing the device has been changed from the
default password to a strong password. See US-CERT Tip Choosing and Protecting
Passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ] for more information.
* You should reconnect to the network only after rebooting and changing the
password. If you reconnect before changing the password, the device could be
quickly reinfected with the Mirai malware.
*"Preventive Steps"*
In order to prevent a malware infection on an IoT device, users and
administrators should take following precautions:
* Ensure all default passwords are changed to strong passwords. Default
usernames and passwords for most devices can easily be found on the Internet,
making devices with default passwords extremely vulnerable.
* Update IoT devices with security patches as soon as patches become
available.
* Disable Universal Plug and Play (UPnP) on routers unless absolutely
necessary.[8 [ https://www.ic3.gov/media/2015/150910.aspx ]]
* Purchase IoT devices from companies with a reputation for providing secure
devices.
* Consumers should be aware of the capabilities of the devices and appliances
installed in their homes and businesses. If a device comes with a default
password or an open Wi-Fi connection, consumers should change the password and
only allow it to operate on a home network with a secured Wi-Fi router.
* Understand the capabilities of any medical devices intended for at-home
use. If the device transmits data or can be operated remotely, it has the
potential to be infected.
* Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts
to gain unauthorized control over IoT devices using the network terminal
(Telnet) protocol.[9 [
https://isc.sans.edu/forums/diary/What+is+hap... ]]
* Look for suspicious traffic on port 48101. Infected devices often attempt
to spread malware by using port 48101 to send results to the threat actor.
References
* [1] KrebsOnSecurity: KrebsOnSecurity Hit With Record DDoS [
https://krebsonsecurity.com/2016/09/krebsonse... ]
* [2] Sophos: Mirai ôinternet of thingsö malware from Krebs DDoS attack goes
open source [
https://nakedsecurity.sophos.com/2016/10/05/m...
om-krebs-ddos-attack-goes-open-source/ ]
* [3] PCWorld: Smart device malware behind record DDoS attack is now
available to all hackers [
https://www.pcworld.com/article/3126362/secur...
-attack-is-now-available-to-all-hackers.html ]
* [4] ArsTechnica: Record-breaking DDoS reportedly delivered by >145k hacked
cameras [
http://arstechnica.com/security/2016/09/botne...
er-internets-biggest-ddos-ever/ ]
* [5] InformationWeek DarkReading: IoT DDoS Attack Code Released [
http://www.darkreading.com/denial-of-service-...
sed-/d/d-id/1327086 ]
* [6] KrebsOnSecurity: Source Code for IoT Botnet "Mirai" Released [
https://krebsonsecurity.com/2016/10/source-co...
]
* [7] Level 3 Threat Research Labs: Attack of Things! [
http://blog.level3.com/security/attack-of-thi... ]
* [8] Federal Bureau of Investigation Public Service Announcement: Internet
of Things Poses Opportunities for Cyber Crime [
https://www.ic3.gov/media/2015/150910.aspx ]
* [9] SANS ISC InfoSec Forums: What is happening on 2323/TCP? [
https://isc.sans.edu/forums/diary/What+is+hap... ]
Revision History
* October 14, 2016: Initial release
________________________________________________________________________
This product is provided subject to this Notification [
http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [
http://www.us-cert.gov/privacy/ ] policy.
________________________________________________________________________
A copy of this publication is available at www.us-cert.gov [
https://www.us-cert.gov ]. If you need help or have questions, please send an
email to info@us-cert.gov. Do not reply to this message since this email was
sent from a notification-only address that is not monitored. To ensure you
receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your
address book.
OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security
Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips
[ http://www.us-cert.gov/ncas ] | Related Resources [
http://www.us-cert.gov/related-resources ]
STAY CONNECTED: Sign up for email updates [
http://public.govdelivery.com/accounts/USDHSU... ]
SUBSCRIBER SERVICES:
Manage Preferences [
http://public.govdelivery.com/accounts/USDHSU...
true ]áá|ááUnsubscribe [
https://public.govdelivery.com/accounts/USDHS...
cribe?verification=5.43e66354f7e069837b41e0fec3b03174&destination=Fido4cmech%40
lusfiber.net ]áá|ááHelp [ https://subscriberhelp.govdelivery.com/ ]
________________________________________________________________________
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW
Bldg 410 ╖ Washington, DC 20598 ╖á(888) 282-0870 Powered by GovDelivery [
http://www.govdelivery.com/portals/powered-by ]
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7797 / Virus Database: 4664/13210 - Release Date: 10/14/16
=== Cut ===
-+-
Keep the faith :^)
Ben aka cMech Web: http|ftpinkp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1
... My computer's sick. I think my modem is a carrier.
--- GoldED+/W32-MSVC v1.1.5 via Mystic BBS
* Origin: FIDONet - The Positronium Repository (1:393/68)
|
Anti-Virus Discussion & News... 
