Академический Документы
Профессиональный Документы
Культура Документы
Mirai Botnet is getting stronger and more notorious each day that passes by. The
reason:
Insecure
Internet-of-things
Devices.
Last month, the Mirai botnet knocked the entire Internet offline for a few hours,
crippling
some
of
the
world's
biggest
and
most
popular
websites.
Now, more than 900,000 broadband routers belonging to Deutsche Telekom users
in Germany knocked offline over the weekend following a supposed cyber-attack,
affecting the telephony, television, and internet service in the country.
The German Internet Service Provider, Deutsche Telekom, which offers various
services to around 20 Million customers, confirmed on Facebook that as many as
900,000
customers
suffered
internet
outages
on
Sunday
and
Monday.
Millions of routers are said to have vulnerable to a critical Remote code Execution
flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to
receive commands based on the TR-069 and related TR-064 protocols, which are
meant to use by ISPs to manage your devices remotely.
The same vulnerability affects Eir D1000 wireless routers (rebranded Zyxel
Modem) deployed by Irish internet service provider Eircom, while there are no
signs
that
these
routers
are
actively
exploited.
According to Shodan search, around 41 Million devices leave port 7547 open,
while
about
Million
expose
TR-064
services
to
the
outside
world.
each
target
IP.
in
order
to
infect
the
vulnerable
device.
Security researchers at BadCyber also analyzed one of the malicious payloads that
were delivered during the attacks and discovered that the attack originated from a
known
Mirai's
command-and-control
server.
is
then
used
to
launch
DDoS
attacks.
The hacker created three separate exploit files in order to infect three different
architectures: two running different types of MIPS chips and one with ARM silicon.
The malicious payloads open the remote administration interface and then attempt
to log in using three different default passwords. After this is done, the exploit then
closes port 7547 in order to prevent other attackers from taking control of the
infected
devices.
"Logins and passwords are obfuscated (or "encrypted") in the worm code using the
same algorithm as does Mirai," the researchers say. "The C&C server resides
under timeserver.host domain name, which can be found on the Mirai tracker list."
More in-depth technical details about the vulnerability can be found on ISC
Sans, Kaspersky Lab, and Reverse Engineering Blog.
Deutsche Telekom has issued an emergency patch for two models of its Speedport
broadband routers Speedport W 921V, Speedport W 723V Type B and
currently
rolling
out firmware
updates.
The company recommends its customers to power down their routers, wait for 30
seconds and then restart their routers in an attempt to fetch the new firmware
during
the
bootup
process.
If the router fails to connect to the company's network, users are advised to
disconnect
their
device
from
the
network
permanently.
To compensate the downtime, the ISP is also offering free Internet access through
mobile devices to the affected customers until the technical problem is resolved.
controlled by individual gangs, he said, but others were being used by people
buying the service from an underground market.
"It's safe to say that certain groups are behind several ransomware programs, but
not all," he said. "Especially now with Eda and HiddenTear copy and paste
ransomware, there are many new, and often unexperienced, cybercriminals."
A separate indicator of the growth of ransomware came from the amount of net
infrastructure that gangs behind the malware had been seen using.
The numbers of web domains used to host the information and payment systems
had grown 35-fold, said Infoblox in its annual report which monitors these chunks
of the net's infrastructure.
"They use it and customise it for each attack, " said Rod Rasmussen, vicepresident of security at Infoblox.
"They will have their own command and control infrastructure and they might use it
to generate domains for a campaign," he told the BBC. "Then they'll have some
kind of payment area that victims can go to."
"The different parts are tied to particular parts of the chain," he said. "Infection,
exploitation and ransom."
Hidden files
The spread of ransomware was also being aided by tricks cyber-thieves used to
avoid being detected by security software, said Tomer Weingarten, founder of
security company SentinelOne.
"Traditional anti-virus software is not effective in dealing with these types of
attacks," he said.
The gangs behind the most prevalent ransomware campaigns had got very good at
hiding their malicious code, said Mr Weingarten.
"Where we see the innovation is in the infection vector," he said.
SentinelOne had seen gangs using both well-known techniques and novel
technical tricks to catch out victims.
A lot of ransomware reached victims via spear-phishing campaigns or boobytrapped adverts, he said, but other gangs used specialised "crypters" and
"packers" that made files look benign.
Others relied on inserting malware into working memory so it never reached the
parts of a computer on which most security software keeps an eye.
"It's been pretty insane with ransomware recently," he said.
"Google has been secretive about the algorithms and criteria it uses to determine
that a potential attack is state-sponsored," explains ESET senior research fellow
David Harley; adding that such secrecy about proprietary algorithms is not unusual
in the security industry. "The relationship with the APT29 targeted malware is
speculative, but I can't say there isn't a connection. If an attack is based on code
that is associated with known state-sponsored attacks, that could be another
indicator, if you have that sort of information. Google isn't exactly known for a spirit
of friendly cooperation with the security industry at large, but it certainly has
security resources."
There is, however, an element of hysteria about this current batch of warnings; as if
users need to take different precautions against nation attacks than they do against
everyday criminal attacks. Activists are more likely to be attacked for political
reasons, and in some cases the consequences could be more dire -- but the
defenses remain the same as those everybody should be using as a matter of
course.
"Journalists and professors already know what they should do - and if they don't,
they can easily look it up. If they don't already follow best practices it's because
they suffer from the fallacy that they aren't important enough to target," comments
F-Secure's Sean Sullivan. It is certainly true that users receiving Google warnings
should take immediate steps to confirm the integrity of their account: Google
doesn't say the attack was successful, but nor does it say it failed.
Caleb Chen, who works with Private Internet Access, points out that statesponsored attacks may be more prevalent than is commonly thought. Google says
only that it is likely to happen to less than 0.1% of its users. If there are a billion
Gmail users, he suggests, those figures mean that up to a million may have seen
state-sponsored probing. "As cyber-attacks continue to proliferate, often times
across borders, expect reports of this type of probing to rise in the future."
There is also an irony about warnings being attributed to foreign governments
coming at the same time as the US and particularly the UK governments are
This being the case, Trump could prove a relatively easy target for cybercriminals.
Taking control of his phone could be as easy as sending him an infected link via
social media and tricking him into clicking on it, security experts told The
Telegraph. From there, hackers could access Trump's emails, messages and other
media stored on his smartphone, as well as take control of his phone's camera and
microphone functions.
Whereas Barack Obama swapped his own phone for a toughened device provided
by the National Security Agency (NSA) earlier this year, it is reported that Trump is
reluctant to give up his personal phone and plans to continue using it after entering
the White House. Experts say Trump's use of the Android platform is particularly
concerning given the spate of malware attacks to have hit the platform in recent
years.
Martin Alderson, co-founder of mobile security firm Codified Security, said:
"President Obama was given a phone modified for his personal use, limited to
making phone calls I think this will be the same for the president-elect, with his
tweeting done through a dedicated aide.
"Trump is going to find there's no way he gets to continue using a phone in the
same fashion as any other American citizen. The number of critical vulnerabilities
on his choice platform Android, such as Stagefright, TowelRoot, and Quadrooter,
show that Android is high risk for someone in his position."
The NSA might have a tough time ahead of it stripping Trump of his Twitter
privileges, but the president-elect will have to fall in line if he wants to avoid
becoming a victim of the dreaded cyber.