According to new research by Recorded Future, Inc., a security company that specializes in machine-based threat intelligence, a new IoT botnet has been detected as the culprit behind a series of DDoS attacks on financial services companies earlier this year.
The botnet is a variant of Mirai, the crippling botnet which first appeared in 2016 and was behind the toppling of the KrebsonSecurity, OVH and Dyn websites with attack volumes approaching terabit levels. After the source code was released online (the three men behind it have since been arrested), Mirai variants have continued to appear.
“We have seen a lot of variants of that specific piece of malware — malware that infects IoT devices and pulls them into a botnet. What we haven’t seen since then is those botnets used in DDoS attacks,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future.
“This attack in January, to our knowledge anyway, is the first time a large IoT botnet based on Mirai was used to target the financial sector,” she added.
Recorded Future identified seven specific IP addresses used by the controllers for the new Iot botnet, which according to Moriuchi, has been “relatively rare for the botnet”. She also said that the company had used third-party metadata and open source intelligence to track IP geolocations and service banners using Shodan, a search engine for devices that are connected to the Internet. The company did not specify who the targets were, but did say that they were global financial institutions.
In October of last year, Israeli cybersecurity firm Check Point Software Technologies alerted the public to a huge IoT worldwide botnet it called IoTroop, also dubbed Reaper by NetLab 360. The Check Point researchers said at least 1 million organizations had been scanned and could have been infected by IoTroop, outpacing Mirai. It spread via security vulnerabilities rather than via hardcoding and default passwords, as Mirai did, allowing it to move more quickly.
Recorded Future recommend that users of IoT devices take the following steps to prevent their device being commandeered by an IoT botnet:
- Always replace default manufacturer passwords immediately upon use.
- Keep the firmware for devices current and up to date.
- For IP camera and similar systems that require remote access, invest in a VPN.
- Disable unnecessary services (e.g., Telnet) and close ports that are not required for the IoT device.