Hackers used devices connected by the Internet of Things (IoT) – like CCTV cameras and printers – to attack major websites last Friday.
Each of the websites affected used the DNS provider, Dyn.
Dyn is effectively an internet “phone book” that directs users to the internet address where the website is stored. It was knocked offline for most of the day by hackers, using connected devices, causing disruption to SaaS applications and internet sites.
“The attack on Dyn is what is known as a Name Server DDoS attack, where attackers focus on the name servers to prevent web addresses from resolving,” said Igal Zeifman, security evangelist at Imperva for the Incapsula product line.
These can be accomplished using what are known as DNS floods against servers or by attacking the network infrastructure of DNS service providers. The attack is akin to cutting off the telephone network before an invasion to prevent communication.”
The company, Dyn, confirmed it suffered a distributed denial of service (DDoS) attack and an IoT attack using the newly discovered Mirai botnet. Thousands of infected devices linked up to overwhelm Dyn and in the process rendered some major websites useless.
The source code used huge numbers of IoT connected devices to form a botnet, and attack websites with a DDoS attack.
The malware, named ‘Mirai’, is a DDoS Trojan and targets Linux systems and, in particular, IoT devices.
Mirai finds smart devices – particularly in homes – that have weak passwords and takes control.
Many of the devices involved came from Chinese manufacturers, which had weak usernames and passwords that cannot be changed by the user.
The source code was recently leaked online in a hacking forum, and has lead to an increase in large scale web attacks – as seen on Friday.
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords,” explained cybersecurity expert Brian Krebs, “and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
A different kind of attack
Usually DDoS attacks target single websites, but the one on Friday affected many of the world’s popular websites at once.
This is because of the increasing number of connected devices. As the IoT becomes more prevalent, the opportunity to hack them and direct attacks at multiple targets will increase.
Mike Ahmadi, global director, critical systems security at Synopsys said “the avalanche of IoT devices has created an environment where software and implementation flaws can be exploit at previously unseen levels, effectively turning them into widely distributed information weapons. What may have been adequate robustness in the past no longer holds true”.
“While this particular attack may not have been motivated by extortion, a new model of ransom based attacks, infrastructure ransom as a service (IRaaS), could be on the horizon, motivated to pay off threats for fear of infrastructure wide customer outages,” said Thomas Pore, director of IT, Plixer.
“An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact.”