A variant of the Mirai botnet, composed at lease of 13,000 compromised IoT devices was used to launch a series of DDoS attacks against financial sector businesses. The DDoS attacks peaked at up to 30 Gbps, in volume, of malicious traffic.
Researchers at Insikt Group, the Recorded Future threat research team, reported this week the results of their analysis of the malware samples involved in the assaults linked the Mirai variant to IoTroop botnet, aka Reaper.
The latest attacks observed by Recorded Future took place between Jan. 27 through 28, the experts spotted three different attacks.
“The first attack occurred on January 28, 2018 at 1830 UTC. A second financial sector company experienced a DDoS attack the same day and time, likely utilizing the same botnet. A third financial sector company experienced a similar DDoS attack a few hours later at 2100 UTC the same day.” states the report published by Recorded Future.
The first DDoS attack implemented a DNS amplification technique and peaked at 30 Gbps. Researchers are unsure what the volumes of subsequent attacks were.
According to the researchers, the botnet used in the first company attack was composed of 80 percent of compromised MikroTik routers and 20% various IoT devices (i.e. Apache and IIS web servers, webcams, DVRs, TVs, and routers).
The experts speculated about a possible evolution of the IoTroop botnet that was improved by including the code to trigger new vulnerabilities in IoT devices.
“If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks,” continues the report.
The experts at Recorded Future found some differences between this latest variant of Mirai from the original Mirai and IoTroop bot.
The ability of the botnet of infecting devices from different manufacturers suggests a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed flaws in many IoT devices.
“While many of the IoT vendors and devices appeared in the (IoTroop) research published in October 2017, many of the devices such as Dahua CCTV DVRs, Samsung UE55D7000 TVs and Contiki-based devices were previously unknown to be vulnerable to Reaper/IoTroop malware,” researchers said.
The most important improvement of the Mirai variant used in the last attacks is the inclusion of the IoTroop code that allows the botmaster to update the malware on the fly.
“Reaper was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available,” continues the analysis.
The availability of the Mirai source code is allowing crooks to create their own versions of the botnet and rent it to other cybercriminals, it is to predict new attacks powered by improved versions of the original botnet.
(Security Affairs – Mirai botnet, DDoS)