Mirai’s Botnet Tsunami

Mirai’s Botnet Tsunami

When the source code for the Mirai botnet was released in October of 2016, security journalist Brian Krebs had no trouble reading the tea leaves.  “The internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders, and other easily hackable devices,” noted Krebs, who was an original target of Mirai.

How right he was. Three years later, the impact of that singular event is still growing.

  • NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT) currently tracks 20,000 variants of Mirai code. 
  • Fueled by IoT botnets, global DDoS attack frequency grew by 39 percent between 1H 2018 and 1H 2019.
  • ASERT saw staggering growth of 776 percent in the number of attacks between 100 Gbps and 400 Gbps in size.
  • Working with our partner, Reversing Labs, the team plotted the number of Mirai samples and its variants over the past three years (see Figure 1).

Figure 1: Mirai-based Samples over the Past Three Years (Reversing Labs)

What’s next? More of the same

There are more vulnerable IoT devices connected to the internet than there are people on the planet, and that number is growing by 7 million per day. With these devices—be they home routers or industrial video monitoring systems—users assume that it’s safe to connect them to the internet and walk away. However,  IoT device makers are more concerned with go-to-market strategies than implementing security capabilities. As a result, many devices are still delivered with hardcoded usernames and passwords, unnecessary services enabled, and remotely exploitable vulnerabilities for which patches are rarely made available. 

In other words, the proliferation of IoT devices is like an all-you-can-eat smorgasbord for  attackers. In the first half of 2019, NETSCOUT honeypots logged more than 61,220 unique attempts that used default or hard-coded administrative credentials to deliver a Mirai-malware variant. “Large botnet operators are continuously scanning for new devices, and on average, Mirai code and its variants can infect an IoT device within 60 seconds of it being connected to the internet,  said Gary Sockrider, Director of Security Technologist at NETSCOUT. And new devices aren’t the only things botnet operators look for.  “They’re also looking to exploit newly discovered IoT vulnerabilities,” Sockrider said. “We talk a lot about DevOps and speeding the development process. Well, the attackers are doing the same thing. Their researchers are turning these exploits into attack targets within 5 days.” 

What can be done?

Clearly, IoT device manufacturers aren’t going to  invest in security any time soon. At the same time, sticking with the status quo is a recipe for disaster—there’s little to no management of the myriad devices communicating machine-to-machine, to systems inside and outside the network. The question facing IT, network, and security teams today is, how do you reduce an attack surface that is growing every day? Here’s what I suggest: 

  • Better visibility. In NETSCOUT’s 13th annual Worldwide Infrastructure Security Report (WISR), service providers expressed increasing concern over the impact of IoT -based DDoS attacks on their network, and those of their customers. At the same time, outbound and cross-bound DDoS attacks are not even monitored by 46 percent of service providers. This lack of visibility in this area is a concern as these attacks can still impact customer aggregation routers and customer experience.  Ideally, organizations should detect and deal with outbound and cross-bound attacks in the same way as inbound attacks. 
  • Network segmentation. In the age of IoT, network segmentation is more important than ever. These vulnerable devices explode the attack surface and must be isolated, prevented from connecting with other systems and applications across the organization. For example, one slice for industrial IoT, another slice for environmental systems, for printers, and so on. 
  • Multi-layer DDoS defense. Mirai-based botnets are being used to launch application-layer attacks, volumetric attacks, and multi-vector attacks that combine multiple targets and techniques. Best practices DDoS defense requires on-premise protection against application-layer attacks, and cloud-based protection from large volumetric attacks. 

To learn more about the impact of Mirai and its variants, download the NETSCOUT Threat Intelligence Report.