I’ll admit it. I am fascinated by the Mirai botnet, and have been paying close attention to the growth and impact it has been having in the world since it was first used on September 20, 2016….more about that to come. First, if the Mirai botnet is new to you, here is a link to the Mirai Case Study page with detail on the malware, how it spreads and is used. Second, I often wonder how names for malware, botnets, etc are determined. Maybe that will be a future post. Back to Mirai. The name Mirai is a given name meaning “the future,” in Japanese. Very fitting. This malware is proving that Internet of Things (IoT ) devices can easily be infected, used in attacks and done in a way where the malware remains undetected by the IoT device owner. The evolution and impact of this botnet over the last few months has been impressive.
Here are a few of the IoT attack highlights:
First Attack: Large scale Denial of Service (DOS ) attack against Brian Krebs (Krebsonsecurity.com) on September 20, 2016.
- Highlights: 620 Gbps of sustained traffic. 380,000 compromised devices were used. Source Code was leaked to the Internet. More detail here.
Second Large Attack: DynDNS DOS attack on October 21, 2016.
- Highlights: 1.2Tbsp (twice the size of the Krebs attack). Over one million devices involved. More detail here.
Sweet, now you can rent the Mirai botnet for your own use.
- $4,600 for 50,000 nodes and $7,500 for 100,000 nodes. More detail here.
Nation Take Down: Liberia’s Internet Taken Down – November 3, 2016.
- Mirai Botnet #14 was used. Speculation, that this was a test case for future attacks. More detail here.
Banks Attacked: Top Five Russian Banks attacked – November 8,2016.
- 24,000 hijacked devices were used in the attacks. More detail here.
Recent Attacks: You can follow Mirai Attacks on Twitter – @MiraiAttacks.
- A tweet is sent each time an attack is detected with the botnet number, type of attack, ports, duration, and the target IP addresses. At the time of writing this there were over 1,100 tweets since October 2016.
What can I do to protect my organization from Mirai, now? I want to wrap up this post with a few prescriptive things you can do today to detect and prevent being compromised by Mirai, its variants and future IoT attacks. Here are a few things:
- Real-time Contextual Visibility: This is a key need for traditional IT, Operational Technology, BYOD, and IoT devices. You cannot answer the questions below without real-time contextual visibility of the devices, users and applications running in your environment.
- Do I have the IoT devices that are being targeted by Mirai in my environment?
- Where are these devices located and who owns these systems?
- Have we changed the user names and passwords from the default settings on these devices?
- Are TCP ports 22 and 23 accessible to these devices?
- Do we have active port communication to the Mirai command and control infrastructure today?
- How will I be able to find and address future targeted systems and protocols?
- Ability to take action, based on visibility: You need to continually ask the questions above, and from it have an action-based alert flow to either apply a policy, security control or notify someone.
- Integrate with other security tools and your response process: To have a continuous and ongoing detection and response capability you need your visibility solution to work with other security tools and your response processes.
Stay tuned. We will see what “the future,” holds for Mirai and other IoT attacks.