U.S. Department of Homeland Security US-CERT   
      
   National Cyber Awareness System:   
      
      
   TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets [    
   https://www.us-cert.gov/ncas/alerts/TA16-288A ] 10/14/2016 07:59 PM EDT   
   Original release date: October 14, 2016   
      
   Systems Affected   
      
   Internet of Things (IoT)—an emerging network of devices (e.g., printers,    
   routers, video cameras, smart TVs) that connect to one another via the    
   Internet, often automatically sending and receiving data   
      
   Overview   
      
   Recently, IoT devices have been used to create large-scale botnets—networks of    
   devices infected with self-propagating malware—that can execute crippling    
   distributed denial-of-service (DDoS) attacks. IoT devices are particularly    
   susceptible to malware, so protecting these devices and connected hardware is    
   critical to protect systems and networks.   
      
   Description   
      
   On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was    
   targeted by a massive DDoS attack, one of the largest on record, exceeding 620    
   gigabits per second (Gbps).[1 [    
   https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ ]]   
   An    
   IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware    
   continuously scans the Internet for vulnerable IoT devices, which are then    
   infected and used in botnet attacks. The Mirai bot uses a short list of 62    
   common default usernames and passwords to scan for vulnerable devices. Because    
   many IoT devices are unsecured or weakly secured, this short dictionary allows    
   the bot to access hundreds of thousands of devices.[2 [    
   https://nakedsecurity.sophos.com/2016/10/05/mirai-internet-of-th   
   ngs-malware-fr    
   om-krebs-ddos-attack-goes-open-source/ ]] The purported Mirai author claimed    
   that over 380,000 IoT devices were enslaved by the Mirai malware in the attack    
   on Krebs’ website.[3 [    
   https://www.pcworld.com/article/3126362/security/iot-malware-beh   
   nd-record-ddos    
   -attack-is-now-available-to-all-hackers.html ]]   
      
   In late September, a separate Mirai attack on French webhost OVH broke the    
   record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits    
   per second (Tbps), and may have been as large as 1.5 Tbps.[4 [    
   http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-r   
   portedly-deliv    
   er-internets-biggest-ddos-ever/ ]]   
      
   The IoT devices affected in the latest Mirai incidents were primarily home    
   routers, network-enabled cameras, and digital video recorders.[5 [    
   http://www.darkreading.com/denial-of-service-attacks/iot-ddos-at   
   ack-code-relea    
   sed-/d/d-id/1327086 ]] Mirai malware source code was published online at the    
   end of September, opening the door to more widespread use of the code to   
   create    
   other DDoS attacks.   
      
   In early October, Krebs on Security reported on a separate malware family    
   responsible for other IoT botnet attacks.[6 [    
   https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/    
   ]] This other malware, whose source code is not yet public, is named Bashlite.    
   This malware also infects systems through default usernames and passwords.    
   Level 3 Communications, a security firm, indicated that the Bashlite botnet   
   may    
   have about one million enslaved IoT devices.[7 [    
   http://blog.level3.com/security/attack-of-things/ ]]   
      
   Impact   
      
   With the release of the Mirai source code on the Internet, there are increased    
   risks of more botnets being generated. Both Mirai and Bashlite can exploit the    
   numerous IoT devices that still use default passwords and are easily    
   compromised. Such botnet attacks could severely disrupt an organization’s    
   communications or cause significant financial harm.   
      
   Software that is not designed to be secure contains vulnerabilities that can   
   be    
   exploited. Software-connected devices collect data and credentials that could    
   then be sent to an adversary’s collection point in a back-end application.   
      
   Solution   
      
   Cybersecurity professionals should harden networks against the possibility of   
   a    
   DDoS attack. For more information on DDoS attacks, please refer to US-CERT    
   Security Publication DDoS Quick Guide [    
   https://www.us-cert.gov/sites/default/files/publications/DDoS%20   
   uick%20Guide.p    
   df ] and the US-CERT Alert on UDP-Based Amplification Attacks [    
   https://www.us-cert.gov/ncas/alerts/TA14-017A ].   
      
   *"Mitigation"*   
      
   In order to remove the Mirai malware from an infected IoT device, users and    
   administrators should take the following actions:   
      
      
     * Disconnect device from the network.   
     * While disconnected from the network and Internet, perform a reboot.   
   Because    
   Mirai malware exists in dynamic memory, rebooting the device clears the    
   malware.   
     * Ensure that the password for accessing the device has been changed from   
   the    
   default password to a strong password. See US-CERT Tip Choosing and Protecting    
   Passwords [ https://www.us-cert.gov/ncas/tips/ST04-002 ] for more information.   
     * You should reconnect to the network only after rebooting and changing the    
   password. If you reconnect before changing the password, the device could be    
   quickly reinfected with the Mirai malware.   
      
   *"Preventive Steps"*   
      
   In order to prevent a malware infection on an IoT device, users and    
   administrators should take following precautions:   
      
      
     * Ensure all default passwords are changed to strong passwords. Default    
   usernames and passwords for most devices can easily be found on the Internet,    
   making devices with default passwords extremely vulnerable.   
     * Update IoT devices with security patches as soon as patches become    
   available.   
     * Disable Universal Plug and Play (UPnP) on routers unless absolutely    
   necessary.[8 [ https://www.ic3.gov/media/2015/150910.aspx ]]   
     * Purchase IoT devices from companies with a reputation for providing secure    
   devices.   
     * Consumers should be aware of the capabilities of the devices and   
   appliances    
   installed in their homes and businesses. If a device comes with a default    
   password or an open Wi-Fi connection, consumers should change the password and    
   only allow it to operate on a home network with a secured Wi-Fi router.   
     * Understand the capabilities of any medical devices intended for at-home    
   use. If the device transmits data or can be operated remotely, it has the    
   potential to be infected.   
     * Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts    
   to gain unauthorized control over IoT devices using the network terminal    
   (Telnet) protocol.[9 [    
   https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563/ ]]   
     * Look for suspicious traffic on port 48101. Infected devices often attempt    
   to spread malware by using port 48101 to send results to the threat actor.   
      
   References   
      
     * [1] KrebsOnSecurity: KrebsOnSecurity Hit With Record DDoS [    
   https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ ]   
     * [2] Sophos: Mirai “internet of things” malware from Krebs DDoS attack goes    
   open source [    
   https://nakedsecurity.sophos.com/2016/10/05/mirai-internet-of-th   
   ngs-malware-fr    
   om-krebs-ddos-attack-goes-open-source/ ]   
     * [3] PCWorld: Smart device malware behind record DDoS attack is now    
   available to all hackers [    
   https://www.pcworld.com/article/3126362/security/iot-malware-beh   
   nd-record-ddos    
   -attack-is-now-available-to-all-hackers.html ]   
     * [4] ArsTechnica: Record-breaking DDoS reportedly delivered by >145k hacked    
   cameras [    
   http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-r   
   portedly-deliv    
   er-internets-biggest-ddos-ever/ ]   
     * [5] InformationWeek DarkReading: IoT DDoS Attack Code Released [    
   http://www.darkreading.com/denial-of-service-attacks/iot-ddos-at   
   ack-code-relea    
   sed-/d/d-id/1327086 ]   
     * [6] KrebsOnSecurity: Source Code for IoT Botnet "Mirai" Released [    
   https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/    
   ]   
     * [7] Level 3 Threat Research Labs: Attack of Things! [    
   http://blog.level3.com/security/attack-of-things/ ]   
     * [8] Federal Bureau of Investigation Public Service Announcement: Internet    
   of Things Poses Opportunities for Cyber Crime [    
   https://www.ic3.gov/media/2015/150910.aspx ]   
     * [9] SANS ISC InfoSec Forums: What is happening on 2323/TCP? [    
   https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563/ ]   
      
   Revision History   
      
     * October 14, 2016: Initial release   
   ________________________________________________________________________   
      
   This product is provided subject to this Notification [    
   http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [    
   http://www.us-cert.gov/privacy/ ] policy.   
      
   ________________________________________________________________________   
      
   A copy of this publication is available at www.us-cert.gov [    
   https://www.us-cert.gov ]. If you need help or have questions, please send an    
   email to info@us-cert.gov. Do not reply to this message since this email was    
   sent from a notification-only address that is not monitored. To ensure you    
   receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your    
   address book.   
      
   OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security    
   Publications [ http://www.us-cert.gov/security-publications ] | Alerts and   
   Tips    
   [ http://www.us-cert.gov/ncas ] | Related Resources [    
   http://www.us-cert.gov/related-resources ]   
      
   STAY CONNECTED: Sign up for email updates [    
   http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences [    
   http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/n   
   w?preferences=    
   true ]  |  Unsubscribe [    
   https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/o   
   e_click_unsubs    
   cribe?verification=5.43e66354f7e069837b41e0fec3b03174&destinatio   
   =Fido4cmech%40    
   lusfiber.net ]  |  Help [ https://subscriberhelp.govdelivery.com/ ]   
      
   ________________________________________________________________________   
      
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of:    
   United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW    
   Bldg 410 · Washington, DC 20598 · (888) 282-0870  Powered by GovDelivery [    
   http://www.govdelivery.com/portals/powered-by ]   
      
      
      
      
   -----   
   No virus found in this message.   
   Checked by AVG - www.avg.com   
   Version: 2016.0.7797 / Virus Database: 4664/13210 - Release Date: 10/14/16   
      
   === Cut ===   
      
      
   -+-   
   Keep the faith   :^)   
      
      Ben  aka cMech  Web: http|ftp|binkp|telnet://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   ... My computer's sick. I think my modem is a carrier.   
   --- GoldED+/W32-MSVC v1.1.5 via Mystic BBS   
    * Origin: FIDONet - The Positronium Repository (1:393/68)