The Mirai malware that attacked about 500,000 connected devices last year could just be the beginning of a new kind of hacking activity and could lead to other more advanced attacks in the future, according to a security research and advisory company.
The Mirai malware that attacked about 500,000 connected devices last year could just be the beginning of a new kind of hacking activity and could lead to other more advanced attacks in the future, according to a security research and advisory company.
In a webinar organized by Memoori, Billy Rios, Founder of WhiteScope pointed out that the fact that Mirai’s source code is available online could prompt other hackers to work on it and come up with their own code.
“It will certainly grow,” said Rios. “No one knows what the motivations of the persons or the group that wrote this and why they wanted to open source it. I think one of the most popular kind of theories is that Mirai was somewhat special in that it attacked embedded devices in a way that it did it was a unique.”
It essentially had options for every processor architecture out there. What people suspect is that if one group were to continue to use this malware, it may kind of single them out. It may kind of spark some law enforcement activity to try to find who these people are. By open sourcing the malware, everyone has it and it’s going to be extremely difficult to attribute it to any group of individual.
“Literally anyone can take the malware code now, modify or create their own code and so it’s going to be difficult to pin down future attacks against one group,” Rios said.
Mirai, the future of attacks
On September 2016, Mirai caused one of the largest distributed denial of service (DDoS) attacks ever seen. It was not the largest one ever seen, but it was one of the largest directed attack people had ever seen.
"What I mean by it is that there are DDoS attacks that were larger than what Mirai had initiated, which were actually taking advantage of what they call amplification where one of the systems could make a small request, and will result in a huge response to do a DDoS,” Rios said. “Mirai actually didn't do that. Mirai just attacked the devices directly."
They targeted a lot of different kinds of devices. So this was very interesting in the fact that people usually think that their systems don't have anything that can interest hackers and hence they are safe. Making these claims invalid, Mirai was used to even attack a journalist's website. So it’s not just critical infrastructure or large governmental and corporate networks that are now vulnerable to hackers, but even personal spaces like residential security devices.
"There was a lot of news about a Chinese firm that admitted that their devices were kind of involved in these attacks, and so a lot of people kind of focused on Chinese firms and their DVR technology and their smart camera technology," Rios said. “I want to fill you in on our experience when working with Mirai. It actually all started with a phone call. So we get a phone call from a manufacturer and it was not a Chinese manufacturer, it was a North American manufacturer. They had called us to say that they needed some help with a situation.”
So it’s not just critical infrastructure or large governmental and corporate networks that are now vulnerable to hackers, but even personal spaces like residential security devices.
Their situation was that the manufacturer was actually contacted by the law enforcement. Law enforcement had informed this manufacturer about the fact that their device was also targeted by Mirai and that they had a lot of different infected devices that were participating in DDoS.
"I want to make it clear to explain the situation here - the manufacturer of these devices didn't even realize that their devices are being compromised and being pulled into this large botnet that was then in turn being used to attack journalists and financial institutions and some of the core infrastructure of the internet. The law enforcement agency had to tell the manufacturer that this was going on and when they told the manufacturer, the manufacturer had no idea what they were supposed to do, so they ended up contacting us."
WhiteScope looked at the malware and found several interesting points. A month or two after they had looked at it, someone had actually released the source code of Mirai on the internet.
The first thing that they thought was interesting was that Mirai was meant to run on embedded devices. Mirai could run on essentially any embedded device out there. If you have a building automation control or thermostat that’s running real time operating system, Mirai has been compiled to run in that operating system or that processor's architecture.
Much more than DDoS
One of the other things that made Mirai special was that it was easily configurable. This shows you that Mirai did a lot of things in an autonomous way, but it also allowed someone to control the devices as well. So that means someone is in your networks. There was a lot of focus on the DDoS itself, but what one has to remember is that if your device is participating in this attack, it means that someone actually has access to your network and is able to control your device.
This is something that WhiteScope had to get a lot of folks to understand, especially when they started to get the law enforcement notifications saying that a device in their infrastructure is participating in an attack against the critical infrastructure of the internet.
DDoS is just one attack, which is bad in itself. But what the users need to understand is that the device is compromised. whoever is participating in the DDoS, can also use the device to access the network it is in. "We know that your CCTV, HVAC or Access control systems usually reside on a single network." So if you get a notice that your device is participating in DDoS attack, you need to stop the attack but you also want to understand whether or not someone leveraged your device to take advantage of the network that the device is in.
Mirai also did not limit itself to one or two types of attacks, it had several kinds included in the source code.