On October 21, 2016, media reports focused on the Internet of Things (IoT) after portions of the Internet, including popular websites such as Amazon, Twitter, The New York Times, PayPal, and Spotify, became unavailable. The cause of the interruption was a series of distributed denial of service (DDoS) attacks against Internet infrastructure provider Dyn. Dyn’s offerings include Domain Name System (DNS) services, which resolve website addresses into the associated IP addresses. By targeting a DNS services provider, the threat actors can impact multiple websites at the same time.
The DDoS attacks were reportedly generated by a botnet composed of between one hundred thousand and half a million IP cameras, DVRs, and other IoT devices that had been compromised with the Mirai malware. Most of the cameras and DVRs were made by the Chinese company XiongMai Technologies. The devices were designed to automatically listen for Telnet connections on TCP ports 23 and 2323, and many of them were accessible on the public Internet. These characteristics allow threat actors to use the Shodan search engine to easily identify the IoT devices.
After a device is compromised with the Mirai malware, it scans the Internet for additional vulnerable devices and attempts to connect to them using a list of hard-coded usernames and passwords. If the login is successful, the malware is copied to the device and started. Mirai has no persistence mechanism, but the bot does not need persistence because many of the compromised devices are never rebooted. Although a reboot can terminate Mirai, vulnerable systems will become reinfected when other Mirai bots scan and locate the device. Infected devices receive commands from a command and control (C2) server and can launch several types of denial of service attacks, including TCP, UDP, DNS, GRE, and HTTP.
The release of the Mirai source code on GitHub helps the security research community understand the malware’s features and capabilities. However, it also enables other threat actors to use the code to create their own botnet. SecureWorks Counter Threat Unit™ (CTU) researchers observed several “copycat” botnets used to conduct attacks.
Recommendations
CTU researchers have identified practices that could prevent or mitigate these types of attacks.
Advice for IoT device manufacturers:
- Avoid using known default passwords, and require a unique and complex password to access the device.
- Consider removing Telnet access if it is not needed for normal product operation.
- Design devices with security in mind, and test for security vulnerabilities throughout the development lifecycle and the life of the product.
- Implement secure coding standards to reduce the number of vulnerabilities in product code.
- Implement an effective security testing processes.
- Implement an effective security vulnerability management program.
- Develop a way to distribute security patches to devices in the field.
Advice for organizations:
- Remove vulnerable IoT devices from the internal network and the Internet. Threat actors could compromise traditionally innocuous Internet-connected devices and pivot into a connected network.
- Include IoT devices in regular vulnerability scanning and patch management processes.
- Disable remote access to devices when not required, and use a virtual private network (VPN) for necessary access.
- Grant least-privilege user access on network-connected devices, allowing only privileges that are essential to the user's work with that device.
- Implement and test a robust DDoS mitigation plan, and ensure third-party vendors such as web-hosting providers do the same.
- Consider implementing a redundant DNS service to retain website access if the primary provider is affected by a DDoS attack.
- Contract a DDoS mitigation service to be available to divert malicious attack traffic and keep the targeted website online. Ensure any third-party web-hosting provider has a DDoS mitigation service.
- Increase vigilance during a DDoS attack, monitoring other network activity in case the attack is a distraction from a larger security threat. In 2016, CTU security researchers observed several incidents in which a DDoS attack was a ploy to distract banks’ security teams and prevent customers from accessing their accounts while threat actors stole thousands of dollars from the banks’ accounts.
Conclusion
This incident illustrates the importance of securing IoT devices. It also underscores the importance of understanding the implications of reliance on third-party services and ensuring that those services implement adequate security measures. IoT security is also discussed in the blog post Who is Responsible for Securing the Internet of Things?