Almost three years after the Mirai internet of things (IoT) botnet was deployed in a distributed denial of service (DDoS) attack against domain name system (DNS) provider Dyn, driving multiple websites offline, its descendants dominate the IoT threat landscape, according to multiple cyber security experts.
Mirai’s source code was released on an underground forum at the start of October 2016, prompting immediate fears of huge and sustained DDoS events, and according to F-Secure, it is now the most common type of malware seen by its honeypots – decoy servers set up to lure attackers and gather their information.
“Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven’t solved the problems leveraged in those outbreaks,” said F-Secure principal researcher Jarno Niemela, who has just released a report exploring the overall threat landscape in the first six months of 2019.
“The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets,” said Niemela.
Meanwhile, writing on the supplier’s Simply Security blog, Trend Micro’s threat communications lead, Jon Clay, said monetisation of IoT threats was mainly through botnets, adding that there was “a lot of chatter within multiple undergrounds” to raise awareness of this particular attack surface.
“For consumers and organisations, be aware that devices you own are a likely target for attacks, and most likely today to be added into an existing botnet,” he said. “Mirai is the dominant IoT threat today and is likely to continue as malicious actors create variants of this malware.”
According to a newly released Trend Micro report, the impact of Mirai on the hacking community has been “profound”, virtually eliminating any incentive for malware writers to develop new IoT botnet code.
“Mirai has become the only code a would-be IoT attacker needs, which, in turn, stifled the creativity, so to speak, of cyber criminals in developing original malware,” wrote the report’s authors. “Most ‘new’ IoT botnets today are mere modifications of the Mirai code base.
“Mirai has limited the demand – and therefore the criminal market – for the same kinds of products. Few criminals are willing to pay for something they can already get for free. Therefore, non-Mirai botnets for sale are uncommon. However, this situation may change if a criminal offers an IoT botnet that has a monetisation plan built in. We have not seen this yet, but it’s not an entirely unlikely scenario.”
F-Secure said its honeypot network recorded 12 times more attack events during the first six months of this year than in the first half of 2018, with the increase driven by traffic targeting the IoT Telnet (760 million attack events) and UPnP (611 million) protocols, with most coming from devices infected with Mirai.
Meanwhile, the SMB protocol, which is more commonly used by the Eternal exploit family – first used during the 2017 WannaCry outbreak – to spread ransomware and trojans, was behind 556 million events.
According to F-Secure, a recent development has been new variants of Mirai that are engineered to infect enterprise IoT devices, such as digital signage screens or wireless presentation systems. This is a source of concern because it allows attackers access to higher-bandwidth internet connections, which means the scale of any resulting DDoS attacks is potentially much higher.
The report found that China, Germany, Russia and the US are playing host to the highest numbers of attack sources, with most attacks being directed towards Austria, Italy, the Netherlands, the UK, Ukraine and the US.
Tallying with Trend Micro’s findings, which showed Mirai is particularly dominant in the English-speaking underground, most Telnet traffic came from the US and the UK, alongside Germany and the Netherlands. Most SMB traffic, on the other hand, was found emanating from China, although this sort of data should always be taken with a pinch of salt because it is very easy, indeed normal, for attackers to route through proxies in other countries to avoid detection.