FBI: New Malware to Spur More Large-Scale Cyber Attacks

Mirai disrupted Internet service in eastern U.S.

Disruptive Cyberattack
Internet company Dyn, which was hacked by the Mirai malware / AP
November 3, 2016

The FBI is warning companies to protect themselves from cyber attacks from a newly released malware that disrupted a large segment of the Internet in the United States last month.

The distributed denial of service attack on the internet company Dyn revealed new vulnerabilities to cyber attackers through inter-connected devices known as the Internet of Things, the FBI stated in a notice to industry on October 26.

"The exploitation of the 'Internet of Things' (IOT) to conduct small-to-large scale attacks on the private industry will very likely continue due to the open availability of the malware source codes for targeting IoT devices and insufficient IOT device security," the FBI's Task Force stated in the notice.

The October 21 cyber attack targeted Dyn, a company that conducts domain name service hosting—the electronic translation of words into numerical addresses on the Internet.

More than 80 websites crashed in at least two waves of attacks that used a variation of the Mirai malware, according to the FBI.

Two earlier major cyber attacks using the same malware and botnets knocked out a gaming server and a cyber security blog in September, the FBI said.

The cyber security blog was Krebs on Security, run by investigative journalist Brian Krebs. The blog was hit by Mirai malware in one of the largest cyber attacks of its kind on record.

According to security analysts, Mirai uses a list of 62 commonly used usernames and passwords to scan the Internet for vulnerable connected devices.

The hacker who developed Mirai has boasted that the software has hijacked over 380,000 devices, which were used in the Krebs on Security attack.

Mirai malware also was used to attack the French web hosting service OVH.

The web devices that were used in the September cyber attacks involved mainly home routers, network-enabled cameras, and digital video recorders.

A variation of Mirai known as Bashlite is said to be engaged in similar cyber attacks that exploit weak default usernames and passwords.

"Recent reporting demonstrates that botnets comprised of [Internet of Things] devices can be used to conduct unprecedented and powerful attacks that can take down websites," the FBI notice said.

The hackers behind the attack have not been identified, the FBI said.

"Despite certain groups claiming responsibility in open source, the FBI does not have any confirmation of a group or individuals responsible for the DDoS," the notice said.

Director of National Intelligence James Clapper stated last month that early indications are a "non-state actor" was behind the attack and that it did not appear to be carried out by a foreign nation's hackers.

A pro-Wikileaks group known as New World Hackers tweeted on October 22 that it was behind the Dyn attacks. The claim could not be verified.

The cyber attack followed the release of the Mirai malware on the Internet. The publication of Mirai's source code allowed other hackers to set up botnets—large networks of Internet-linked devices that are hijacked and used by hackers to make massive numbers of automated and electronic requests for domain name service.

The millions of requests overloaded the servers at Dyn and disrupted service to major companies, including Twitter, Paypal, Spotify, Amazon AWS, Amazon Ads, and Reddit.

A Dyn security official said the company detected "tens of millions" of Internet addresses linked to the Mirai botnet.

The code took control of large numbers of electronic devices networked through the Internet, including webcams, security cameras, DVRs, smart TVs, routers, and similar devices.

A particular concern is increasing attacks against devices that use the Linux operating system, an open-source software. Dozens of new malware variations have been targeting Linux devices.

"Most of the Linux malware variants scan the internet for IOT devices that accept Telnet, which is used to log into a device remotely, and try to connect to vulnerable devices by using brute force attacks with common default login credentials," the notice states.

To avoid large-scale cyber attacks like the Dyn incident, the FBI recommended taking steps to respond to attacks, including backing up data and keeping sensitive and proprietary data in separate locations.

Firewalls can be used to prevent denial of service attacks and increase security for Internet of Things devices, many of which use easily guessed default log-in credentials.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team has issued a report for countering large-scale denial of service attacks.

FBI spokesman Raushaunah Muhammad said the notice is part of the FBI's public-private partnerships.

"The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations," Muhammad said. "This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."

Published under: Cyber Security