Endpoint Protection

Back to Library

Mirai: New wave of IoT botnet attacks hits Germany 

11-29-2016 07:06 AM

A new wave of attacks involving the Mirai botnet has crippled internet access for nearly a million home users in Germany. The latest attacks used a new version of the Mirai malware (Linux.Mirai) which is configured to exploit a weakness found in routers widely used in Germany.

While the original Mirai malware (Linux.Gafgyt) was designed to perform brute-force attacks on a range of routers, this latest variant exploits a weakness in the CPE WAN Management Protocol which leaves TCP port 7547 open on the device.

According to Germany’s Information Security Bureau (BSI) (German language link), the attacks began on Sunday November 27 and continued into Monday.

Although the bot payload was not able to infect Deutsche Telekom home routers, the amount of network traffic generated by other devices scanning for vulnerable targets impacted the routers' connectivity and led to some customers being cut off from the internet. Deutsche Telekom has issued patches for three of its routers (German language link) that were affected by the attacks. The company has advised customers to apply the update by turning off their router for 30 seconds and powering it back on. When the router is turned back on, it automatically downloads the new software from the server.

ZyXEL routers used by Irish telecoms firm Eir are also understood to be vulnerable to these attacks. The company said all potentially affected modems are now protected with network mitigation while it continues to deploy a firmware patch. Eir also advised customers with affected modems to change the administrative and Wi-Fi passwords.

Virulent threat to IoT devices

Mirai first appeared in September, when it was used in a huge distributed denial of service (DDoS) attack against the website of journalist Brian Krebs. The malware has since spread quickly, infecting a range of IoT devices including routers, digital video recorders and web-enabled security cameras. It caused major disruption in October, when it powered a DDoS attack on domain name system (DNS) provider Dyn that temporarily knocked a number of major websites offline, including Spotify, Twitter, and PayPal.

Guarding against attack

Users of IoT devices should take a number of precautionary measures to minimize the risk of infection from Mirai and similar threats:

  • Research the capabilities and security features of an IoT device before purchase
  • Perform an audit of IoT devices used on your network
  • Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
  • Use a strong encryption method when setting up Wi-Fi network access (WPA)
  • Disable features and services that are not required
  • Disable Telnet login and use SSH where possible
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
  • Modify the default privacy and security settings of IoT devices according to your requirements and security policy
  • Disable or protect remote access to IoT devices when not needed
  • Use wired connections instead of wireless where possible
  • Regularly check the manufacturer’s website for firmware updates
  • Ensure that a hardware outage does not result in an unsecure state of the device

Protection

Symantec and Norton products protect against the Mirai Trojan with the following detections:

Further reading

To learn more about Mirai, read our blog—Mirai: what you need to know about the botnet behind recent major DDoS attacks

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

FofM
12-10-2016 10:30 AM

Good to know that Symantec already incorporated this in their antimalware solutions. On another note, the impact of DDOS attacks has increased greatly in recent years. 10-15 years ago most of the internet was about publishing information, however, today there are so many services that we access like Office 365, Azure, Amazon services etc. so a DDOS can mean full buisness interuption for the consumers of the service not just the company that hosts the servers.

PGA_CR2
12-09-2016 06:27 PM

Esto no hace cuestionarnos a el rumbo que tiene que tomar la seguridad, cuando se podia pensar que la brecha de seguridad podia tener capacidad de respuesta encuentran nuevos portillo por los cuales nos podemos ver afectados.   Ese es el ciclo eterno!!!  esto no hace pensar en lo que sigue como protejo mi televisor, mis dipsitivo de trasmision al TV, o de musica, mis camara ip esto brinda un giro interesante  hacia el futuro  por  IoT, y cyual va a ser el pael de Symantec en este cambio que se esta dando y es mi parecer (nos esta tomando tarde).

 

Migration User
12-09-2016 04:09 AM

A new wave of attacks involving the Mirai botnet has crippled internet access for nearly a million home users in Germany. The latest attacks used a new version of the Mirai malware (Linux.Gafgyt.B) which is configured to exploit a weakness found in routers widely used in Germany.

Migration User
12-08-2016 02:37 PM

All great info regarding the outbreak of these IoT devices.   Since there is not a true standard on hwo these devices should be setup, the secutiry that is impmented in most of them is appauling.

No encryption, crappy default username and passwords. open ports for remote administration.

This all will just allow these botnets to just keep growing.   

Governmenets should be holding these companies who create such shoddy devices accountable for their lame security design.

Migration User
12-08-2016 02:51 AM

"The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.

Migration User
12-06-2016 07:41 AM

IoT is a new and scary world.  There needs to be end user awareness provided when consumers purchase devices that are connected to the Internet.  People need to be made aware of updates and best security practices for these devices.  Maybe vendor's can push out automatic updates like they do with software products.

Migration User
12-05-2016 09:23 AM

Remember taht things like this shouldn't be blamed on the consumer. People are told "look at this amazing device it does this service for you using the internet" and place them on their network oblivious to consequences. Many people don't understand how the internet, viruses, and hacking works exactly and they can't be expected to when these things aren't discussed approprately on a large scale in terms people can understand. Until tech manufacturers and companies begin to explain the dangers to the public and how to mitigate those factors, things like this will occur more and more.

Migration User
12-05-2016 09:21 AM

That's very true, but it can't always be blamed on the consumer. People are told "look at this amazing device it does this service for you using the internet" and place them on their network oblivious to consequences. Many people don't understand how the internet, viruses, and hacking works exactly and they can't be expected to when these things aren't discussed approprately on a large scale in terms people can understand. Until tech manufacturers and companies begin to explain the dangers to the public and how to mitigate those factors, things like this will occur more and more.

Justin Dybedahl
12-01-2016 02:31 PM

I've already been following most of these recommendations on my home network.  I've started doing Nessus scans on my devices as well just to make sure that things are not vulnerable.

Fantus_Longhorn
12-01-2016 12:19 PM

Looks like the same vulnerability has been used in the UK: http://www.theregister.co.uk/2016/12/01/hull_router_attack/ Same router brand exploited in the same way. That said, it looks like this is a management port that should have been secured by the ISP prior to being sent out to customers. Would be interesting to see if this is something that was documented.

Migration User
12-01-2016 09:29 AM

As a security professinal we know the risks of using IoT.

The end user however doesn't share the same mindset.

Lucky for them Symantec has their back protecting them from their unknown...

Step 1 - research

Step 2 - update/patch

Step 3 - pray

 

TonyS
12-01-2016 03:15 AM

Just crazy. An IoT device is basically an device that connects to the Internet. And to think that people connects it to the Internet without any protect scares me. For example, the recent case where a police officer plugs his Iomega drive and it got exposed to the Internet, leakking data of sensitive data about security investigations by Europol.

All IoT device NEED at least by default, FORCES the user to set a strong password before even allowing it out of the wild Internet. With thatm it will reduces the impact of infected devices.

Sadly, many hardware/software makers are not clued up on this. They just make it work, release it and not think abouty the long term impact. They need to act & prevent from this happening BEFORE they even started making their device!

mssym
12-01-2016 01:52 AM

Most of us focused a lot on the endpoint, automate the patching whenever Microsoft release hotfix on Tuesday, look like it is far from enough, the healthy PC can lose the internet connectivity if the router is attacked by the botnet. that also remind me how many companies still not run antivirus on Linux and Unix systems, maybe it is time to change,    

Migration User
11-30-2016 12:11 PM

It's good that the router can auto download updates or this could have been a bother to fix.

Hopefully everyone will be informed how to do it or can get help

Powershell_Guru
11-30-2016 10:41 AM

I read things like that and these warnings are fine for someone like me who is familiar with technology and the ramifications associated with its haphazard use but I always think back to someone's grandparents, or some teenager working at Best Buy who is explaining how to configure your new "Smart" microwave.  The more that these trivial devices become network aware, the more the attack surface is going to grow until we create a second, "Computer-Only" internet.  I don't see any light at the end of this tunnel.

mprocter
11-30-2016 10:11 AM

These types of devices are being used more and more, I feel like they could easily be connected to your network without people realising the risk. I like the comment above and network discovery is probably the most important, if you don't know what you've got lurking how can you stand a chance at protecting yourself. Great article.

jjesse
11-30-2016 09:39 AM

While step #1 is great (research what is going on with that IoT device you are looking into) I feel like many of the devices that get connected to your network are done w/o IT Security knowing or doing the research.

How many Chromecasts or SmartTVs or HVAC systems are in your network that your IT Security Team doesn't know about?

Doing the discovery in my mind is the more important thing.  I read a report that stated there are 25% more devices on the network than the Security Team knows about.  Thus Network Discovery in my mind is more important.  Understanding what is on yoru network should be a starting point

dyeLucky
11-30-2016 08:42 AM

Very interesting post @Symantec!  There seems to be a big trend on IoT devices being targeted lately...

In the future, maybe we will see some kind of solution from @Symantec that prevents these devices being targeted.  :D 

Simon Chaperson
11-30-2016 08:31 AM

Another interesting post by symantec. Good to raise awareness of the Mirai botnet, the scale of its use and devices it can effect. Scary how it uses IoT and these can often be vunerable. At least if you're runnig Symantec you can feel a bit safer.

ℬrίαη
11-30-2016 08:25 AM

It amazes me how many folks attach an IoT device to their network without realizing the security implications. It's also unfortunate that the vendor doesn't architect their product(s) with security in mind. Until that happens, these sorts of things will continue on. At least if you're runnig a Symantec product, you can feel a bit safer.

Migration User
11-30-2016 04:32 AM

I am glad, Symantec is taking a tough stand against Mirai.

A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service.

A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.

Mirai, as the malware is known, is badly programmed and unfinished, but that doesn’t matter.

https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks

Regards,

Related Entries and Links

No Related Resource entered.