Hackers offered an loT botnet for $7,500. The recent attack may be just a test

The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.

Last week, a massive DDoS attack against the Dyn DNS service, one of the most authoritative domain name system (DNS), caused an extended Internet outage. A large portion of internet users was not able to reach most important web services, many websites including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The Dyn DNS Service was flooded by a devastating wave of requests originated by million of compromised IoT devices. The Dyn company reported a huge army of hijacked Internet of Things devices has been abused by attackers to power the massive DDoS attack.

The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. “

Below the Key Findings of the report published by Flashpoint

Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.

Unfortunately, the situation could be worse because hackers are selling access to a huge botnet composed of compromised Internet of Things (IoT) devices.

The security firm RSA revealed to have discovered in early October, hackers advertising access to a huge IoT botnet on an underground criminal forum.

“This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” Daniel Cohen, head of the RSA’s FraudAction business unit, told Forbes.

According to RSA the hackers advertised an IoT botnet that is able to power DDoS attack with a 1 Tbps of traffic, the same volume of traffic that flooded the French hosting provider OVH. It is not clear if the botnet was composed of devices infected by the Mirai malware.

The hackers were offering a botnet composed of 50,000 devices for $4,600, meanwhile 100,000 bots the price is $7,500.

Cohen clarified that RSA has no evidence that the botnet is linked to infrastructure that hit the Dyn DNS service on Friday.

“Hackers have long sold access to botnets, though haven’t explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.” reported FORBES.

IoT vendors are warned of future risks of cyber attacks, the Chinese manufacturer of surveillance and home video devices targeted by the Mirai botnet, Xiongmai Technology (XM), has pushed out parched to avoid the hacking of its devices.

However, any device running firmware released before September 2015 that is still using the default username and password (well known in the hacker community) remains vulnerable to attacks that use the credentials to access the devices via Telnet.

Attacks like the one powered by the IoT botnet on Friday are difficult to mitigate, anyway, the adoption of a secondary, back-up DNS provider could make hard for the attacker to shut down the web service.

Other countermeasures are listed in the FORBES blog post.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – IoT botnet, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.