Mirai Botnet Attacks Likely Pulled Off By Teenagers

The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In October, a massive DDoS attack on the Dyn DNS “Managed DNS” infrastructure brought down a number of major websites, including PayPal, Twitter, Amazon, Netflix, and Spotify. The attack was accomplished through the use of the Mirai botnet, a piece of open source malware that works by compromising Internet of Things (IoT) devices and turning them into “zombies.” It was the largest DDoS attack in history, and it illustrated the significant vulnerabilities posed by insecure IoT devices.The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In the aftermath of the Mirai attacks, cyber security experts went to work to find out who was behind them. Was this the work of foreign or domestic terrorists? Nation-state hackers? Organized crime groups? Turns out, the largest DDoS attack ever recorded was most likely orchestrated not by organized terror groups or criminal masterminds, but teenagers, Vice News reports:

…[T]he world’s leading cybersecurity experts have been following clues to track who is responsible. They’ve come to a disturbing conclusion: the biggest DDoS attack in history was probably not caused by a state-sponsored actor, organized crime, terror groups, or anyone with a geopolitical or financial motive. So who’s left?

“Kids,” said Mikko Hypponen, chief research officer with security firm F-Secure. “Kids who have the capability and don’t know what to do with it.”

“The source code that was released could have been written by a high school student, a smart high school student, but a high school student nonetheless,” security expert Rob Graham said after examining the malware used in the attacks. “It wasn’t particularly sophisticated.”

The notion that a rank amateur could manage to pull off such a massive cyber attack is not unprecedented. In 2008, a Polish teenager hacked into the tram system of the city of Lodz, Poland, derailing four trains and injuring a dozen people. When questioned by authorities, he claimed that the hack was done as a “prank.”

Anyone can download the source code for Mirai. It’s available online, along with helpful, step-by-step instructions. As the recent DDoS attacks prove, it doesn’t take a computer science degree, the financial backing of a nation-state or terror group, or much skill to use it. This begs the same question that was asked after the Lodz tram debacle: If a high school kid motivated only by the desire to stir things up a bit can do this much damage, what could an organized, skilled, well-funded group of highly motivated cyber terrorists accomplish?

Insecure IoT Devices No Match for Mirai

The Mirai malware takes advantage of a very simple but extremely serious vulnerability that plagues IoT devices, from routers to printers to DVRs: Many, if not most users have never changed the default passwords their devices came with because they don’t know how, they don’t understand why they should, or both. Even in cases where a security-conscious user realizes they need to change their device’s password, they may not be able to; on some devices, the login credentials are hard-coded into the firmware, making it difficult or impossible for end users to change them.

Part of the PCI DSS standards that retailers and credit card processors must follow dictate that no hardware should ever be connected to a network unless its default login credentials have been changed. There are two good reasons for this. First, the majority of data breaches are the result of hackers obtaining legitimate login credentials into a system, and second, manufacturer default passwords are widely available online. The Mirai source code contains 68 user name and password combinations. Since manufacturers often use the same login credentials for multiple devices, just one set could allow a hacker to access hundreds, possibly thousands of devices.

Mirai works by scanning the internet for specific devices, then attempting to access them using manufacturer default credentials. Once Mirai successfully compromises a device, hackers can turn it into a “zombie” – often without the device’s owner even realizing it. Once an army of “zombie” devices has been amassed, it can be used flood specific web servers with so many junk requests that they slow to a crawl or crash.

Mirai DDoS Attacks the “Canary in the Coal Mine” for IoT Security

In the wake of the Mirai attacks, Chinese manufacturer Hangzhou Xiongmai voluntarily recalled its home webcams, and it’s possible more manufacturers will follow suit. However, in light of the serious issues raised by Mirai, much more has to be done. The situation is so bad, and IoT manufacturers have dragged their feet for so long, some experts are now calling for the federal government to step in and regulate IoT security.

If IoT manufacturers do not step up to the plate and clean their own houses, they are setting themselves up not only for onerous government regulations but also cyber attacks that are far more destructive than the Mirai DDoS attacks.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services provided by Lazarus Alliance and our award winning Continuum IRM GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.


Cyber Forensics Protect the Innocent

Cyber Forensics Protect the Innocent

It is always rewarding when cyber security and cyber forensics protect the innocent. Monique Vivien Macias of KPNX 12 News It is always rewarding when cyber security and cyber forensics protect the innocent.  Monique Vivien Macias of KPNX 12 News Phoenix discusses with Lazarus Alliance and Continuum GRC’s CEO Michael Peters how cyber forensics has become such a vital resource in law enforcement’s toolkit.

Christopher Thomas McKenna, the former Chaparral High School teacher and girls’ track coach facing charges for having an on-going sexual affair with a student from another school is facing more charges for allegedly continuing to contact and see the teen.

According to court documents, after his arrest last December, a judge ordered McKenna to wear an ankle bracelet to track his movements as part of his release.

PREVIOUS2014 Scottsdale Unified Teacher of the Year arrested

It’s one piece of a cyber puzzle Scottsdale police reportedly used to obtain evidence McKenna and the now 17-year-old girl were meeting up, continuing to talk over the phone and also, possibly, contacting each other through social media.

“It’s just an extremely valuable tool,” said Michael Peters, a cyber security expert and CEO of Lazarus Alliance Inc. and Continuum IRM GRC software.

Peters has previously used his training in computer forensics to help various law enforcement agencies including the FBI.

“For both solving crimes and preventing crimes,” Peters said, “there are numerous applications that are constantly locating individuals.”

Court papers show location data collected by online apps on the teen’s cellphone show she and McKenna were in the same spot, at the same time on several different occasions and that the teen had been near his house on multiple instances.

“Whatever kind of application you’re using, you start leaving bread crumbs,” Peters said. It can happen multiple ways but mostly, “through networks, through cell towers, Wi-Fi access points,” he continued.

Documents also allege McKenna bought the teen a new TracPhone, also known as a burner phone, to continue hiding their relationship.

However, the report says police used cyber forensics to trace the phone and were able to create a timeline of where and when the phone was purchased and also when McKenna allegedly met the teen and gave it to her.

It went on to say investigators linked McKenna’s debit card to the phone’s purchase.

McKenna is now facing charges for failing to comply with a court order, in addition to a list of other charges which including the sexual exploitation of a minor and luring a minor for sex.

Jail records say he has been released from jail.

Source: 12 News KPNX-TV