04

Botnet Analysis

Since 2007, IoT devices have been targeted incessantly by adversaries who try to co-opt them into their botnet armies. Unfortunately, such attacks often are successful because most IoT devices sit behind consumer-grade firewalls—or worse, no firewall at all. In fact, many consumer IoT devices have little to no security, and they’re often installed using only default credentials, thereby rolling out a welcome mat for attackers.

Attacks from DDoS botnets on residential networks have limited power due to the fact that most home users lack high-powered bandwidth. The result is that botnet attacks have been carried out via reflection/amplification attacks over direct-path attacks.

As is often the case, adversaries are now taking a fresh look at overcoming the limitations of residential devices by using server-class devices to push past the network limitations in home environments. This was first seen with Mēris leveraging HTTP pipelining to launch fast request-per-second (rps) attacks against sites such as Krebs on Security. The success of the attacks quickly led other attackers to piggyback on the vulnerabilities in devices that worked with the Mēris botnet. They did so by leveraging Dvinis to launch more high-powered attacks. Attackers also used Mirai code branches to take advantage of vulnerabilities in GitLab and Confluence servers that essentially recruited them into a server-class botnet army.

Enterprise-level bandwidth

+

server hardware

=

A new era in high-powered, high-throughput direct-path DDoS attacks

Mēris

To perform an after-action review (AAR) of Mēris, it’s necessary to look back to when CVE-2018-14847 was first identified in 2018. For three years, this vulnerability enabled adversaries to stealthily compromise MikroTik routers. Those efforts kicked into high gear in June 2021, coinciding with an increase in brute-forcing activity on our honeypot network, as reported in our 1H 2021 Threat Intelligence report. This vulnerability allows attackers to steal unencrypted usernames and passwords of a device after exploitation. As such, system updates failed to mitigate the problem because attackers could still access it via stolen credentials.

The MikroTik platform enabled a retooling of malware, giving attackers access to a much higher level of bandwidth thanks to enterprise deployments of MikroTik devices. It also enabled adversaries to utilize more direct-path DDoS attacks and application-layer attacks.

Mēris Botnet Snapshot

First Seen:

June 2021

Current Active Nodes: ~2,000

Peak Active Nodes: ~4,800

Attacks to Date: ~4,000

Maximum Attack Size: ~337 Gbps

Average Attack Size: ~7 Gbps

Mēris Scanning Details

Mēris nodes continue to bombard our global honeypot with brute-force attempts on RDP, SSH, and Telnet, coinciding with exploitation attempts directly related to the MikroTik router vulnerability.

Mēris Credential Set

The 1H 2021 Threat Intelligence report highlights a series of MikroTik-specific credential sets that appeared around the time an increase in exploitation of MikroTik routers using CVE-2018-14847 took place. In addition to MikroTik-specific credentials, these username and password combinations were used in an attempt to access our honeypots.

Dvinis

Unlike Mēris, Dvinis-sourced HTTP, and HTTP/S application-layer DDoS attacks don’t appear to make use of HTTP pipelining. However, an apparent typo in the attack generators appends an extra “/” character to the end of the Uniform Resource Identifier (URI) targeted in HTTP POST and GET floods. This mistake enables such activity from Dvinis to be tracked.

Additionally, it appears that most of the observed HTTP and HTTP/S DDoS attacks sourced from Dvinis are initiated by an external attack harness and then relayed via the SOCKS4/5 proxy subsystem that’s built into compromised MikroTik routers. The HTTP X-Forwarded-For field in captured attack packets includes the source IP addresses of the actual attack infrastructure being used to generate these attacks.

Dvinis Botnet Snapshot

First Seen:

September 2021

Current Active Nodes: ~24,000

Peak Active Nodes: ~24,000

Attacks to Date: ~29,000

Maximum Attack Size: ~463 Gbps

Average Attack Size: ~3 Gbps

Dvinis Scanning Details

As with Mēris, the botted nodes of Dvinis try to propagate across Telnet, SSH, and RDP. Given the massive increase of Dvinis-compromised devices since this activity began, it’s clear that spreading attempts have scaled with the increase.

Dvinis Credential Set

Dvinis bots use many of the same top username and password combinations to spread. This is likely due to attempts made to compromise the same kinds of devices by reusing combinations that work. The biggest difference is found in the number of attempts, given that Dvinis has scaled much larger than Mēris.

GitMirai

Attackers intent on wreaking havoc use GitLab servers to launch terabit-level attacks with incredible throughput. The CVE-2021-22205 vulnerability that was patched in April 2021 allowed botnet commanders to exploit unpatched GitLab servers with a variant of Mirai and the Gitpaste-12 bot, so named by Juniper Networks because it has access to GitLab servers and 12 DDoS attack modules. A report from The Record revealed an attack in the terabit range thus far, and ASERT believes it‘s only the beginning of bot masters refocusing attention on server-class devices to host their bot code.

To track the size of this botnet, we examined open ports on GitLab servers (TCP 9418, 80, and 443) and scanned to verify the number of servers. We then correlated the identified servers to our global DDoS attack sensor network to see which had participated in DDoS attacks against our customers in order to ascertain the botnet’s level of activity and impact.

GitMirai Botnet Snapshot

First Seen:

November 2021

Current Active Nodes: ~3,800

Peak Active Nodes: ~3,800

Attacks to Date: ~16,000

Maximum Attack Size: ~514 Gbps

Average Attack Size: ~5.4 Gbps

GitMirai Scanning Details

GitMirai Credential Set