Mirai and its descendants: how IoT devices are harnessed for massive botnet attacks
There’s no better time to start thinking seriously about cybersecurity, and how best to protect yourself.
Four years ago, the Mirai malware reared its ugly head for the first time. The Mirai malware is spread by first scanning the internet for IP addresses of Internet of Things (IoT) devices and, when a potentially vulnerable target is discovered, trying to gain access to them using a list of more than 60 commonly used factory default password and username combinations.
If this is successful, it then infects them with malware that allows the IoT device to be remote controlled in large scale botnet DDoS (distributed denial of service) attacks with up to hundreds of thousands of similarly infected zombie devices.
Without proper DDoS protection, these DDoS attacks aim to knock websites and internet services offline by overwhelming them with massive amounts of junk traffic, making them inaccessible to regular, legitimate users.
However, the owners of the infected devices used for these attacks may be none the wiser, since the devices continue to function as normal, even if they might seem a bit more sluggish on occasion. Devices infected by Mirai could include DVRs, smart TVs, routers, security cameras, baby monitors, smoke detectors, and many other forms of connected hardware.
Years after the first Mirai attacks, cybersecurity experts are still talking about it. There are two main reasons for this. The first is that it showed how easily attackers created some of the largest DDoS attacks in history using a devastating botnet army of connected devices, simply by exploiting the fact that many people will not change the default credentials of their devices. An attack on cybersecurity expert Brian Krebs, who later exposed the identity of Mirai’s creator, bombarded him with junk traffic equalling 620 Gbps.
The second reason is that Mirai hasn’t gone away. Far from it, in fact.
New variants of Mirai are emerging
Variants of the Mirai malware continue to be discovered by cybersecurity experts. Like a real-world virus, the shape-shifting Mirai continues to mutate. Although its creator was uncovered, the Miari author released the botnet’s source code, along with instructions for carrying out configuration and set-up. This has allowed hackers to create variant versions of the malware for carrying out new remote control attacks. In 2020 alone, multiple variants of Mirai have been discovered.
SORA and UNSTABLE were variants that exploited a security weakness, CVE-2020-6756, in a video surveillance storage device created by Rasilient. Another variant, Mukashi, is a different Mirai variant that attacks Zyxel network-attached storage (NAS) devices, tapping into another vulnerability, CVE-2020-9054. These are just a small handful of examples out of many.
With no sign of Mirai vanishing — and new variants appearing all the time — it’s a timely reminder of why individuals and organizations alike must protect themselves. Making sure that you change default passwords and usernames for IoT devices will stop your smart device from being infected by future botnets. People should also take protective measures like ensuring that they have applied all patches and software updates in order to protect against newly discovered system vulnerabilities. By monitoring network traffic, you can also check for suspicious connection attempts being made to domains that are unfamiliar to you.
In addition, Mirai is proof positive of why it’s crucial to protect against DDoS attacks. Such attacks can overwhelm targets. In some instances, the goal of the attacker is to temporarily bring down services and websites, causing chaos by rendering it inaccessible to customers. This can not only cost organizations money directly but may also harm customer loyalty. Alternatively, hackers sometimes threaten DDoS attacks as a way to extort money from targets.
The importance of protecting against DDoS attacks
However, there are solutions at hand. DDoS protection for websites, networks, Domain Name Servers (DNS) and internet protocols (IPs) will protect your organization by detecting and mitigating attacks before they hit. Depending on the type of attack, these protective measures work differently. Measures commonly employed by experts involve a web application firewall (WAF) designed to block hacking attempts and attacks by malicious bots, protective measures to mask your origin server IP, and the ability to, where necessary, handle massive attacks of up to 65 billion attack packets. If you choose to bring in cybersecurity experts, make sure they have all of these protective safeguarding measures in place.
DDoS attacks are only going to get more commonplace. Those, like Mirai, which use IoT devices as part of the attack, are on the upswing as well. The number of IoT devices employed around the world is exploding right now. This year, experts estimate that 31 billion IoT devices will be installed. By 2025, that number could well increase to upwards of 75 billion IoT devices connected to the web. Combined with the relative lack of security on many of these devices, Mirai’s offspring are going to be able to use them to wage attacks that could make previous cyber attacks look like mild inconveniences by comparison.
There’s no better time to start thinking seriously about cybersecurity, and how best to protect yourself. So that, hopefully, your only familiarity with Mirai will come from reading this piece.
- Which sim cards are best for IoT projects?
- Patriot Act renewal now allows the FBI to access your browser history without a warrant
- 5 key practices for keeping all your IoT devices safe
- 5 amazing ways IoT is cutting costs for any office