More details have emerged on last Friday’s massive distributed denial of service (DDoS) attack on Dyn’s DNS infrastructure that rendered much of the Internet unusable for many.
While the perpetrator is yet unknown, the attack used a Mirai botnet that enslaved digital video recorders (DVRs) and IP cameras made by the Chinese tech company Xiongmai Technologies, which sells its components to other vendors.
This was bad
“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware,” cyber security firm Flashpoint said.
“Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French Internet service and hosting provider OVH.”
Last month, the hacker ’Anna_Senpai’ released the source code for Mirai, a tool that uses IoT devices for DDoS attacks. The malware continuously scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, before compromising them and using them for DDoS attacks.
With the code out in the open, it is believed that the Dyn attack, OVH attack and Krebs attack all came from different Mirai botnets.
“Mirai is a huge disaster for the Internet of Things,” Xiongmai said to IDG News Service. “[We] have to admit that our products also suffered from hacker’s break-in and illegal use.”
The company originally recommended customers change the default password when a product is used for the first time, and that they should update their products to the latest firmware where applicable.
Since then, as awareness and outrage over the attack has grown, Xiongmai has issued a recall on some of its products, primarily webcameras.
“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company said.
However, it is likely that many IoT devices currently out there (and some that are still being sold) will remain susceptible to being enslaved by botnets.
Dyn said that it suffered three waves of attack, the first affected the east coast of the US, the second had a more global impact, but the third was successfully mitigated.
“At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion,” chief strategy officer Kyle York said in a blog post.
“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and Internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”