Thursday, October 27, 2016

Updates on the Dyn DDoS

In the aftermath of the Dyn DDoS attack too much is happening to fit into a comment on Tuesday's post. Below the fold, a roundup of the last two day's news from the IoT war zone.

Despite ignoring claims from Wikileaks and New World Hackers, attempts to attribute blame for the DDoS attack last Friday against the Dyn DNS service seem to agree that it was "non-state actors":
Asked if the internet attack was done by a non-state actor, [US DNI James] Clapper said: "Yes, but I wouldn't want to be conclusively definitive about that yet," adding, "That's an early call."
AKA "amateur hackers":
Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.
Which is, of course, only reassuring if you don't think about it. Even less reassuring is Dyn's new estimate of how many IoT devices were involved in the attack:
With more time to analyse its logs, DNS provider Dyn reckons about 100,000 Mirai-infected home web-connected gadgets knocked it out last Friday.

In its latest analysis, product executive veep Scott Hilton writes: “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
That's less than 10% of the devices estimated to be already infected with Mirai. And new devices are compromised quickly:
The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who’ve been tracking the botnets.
The potential is much larger:
Security firm BullGuard, which this summer acquired IoT security startup Dojo-Labs, offers a free IoT scanner tool for consumers to check whether any of the devices connected to their home network have been indexed by the Shodan search engine, which lists publicly accessible IoT devices that may be vulnerable to hackers.

The company says consumers have scanned more than 100,000 unique IPs via this tool so far — with 4.6 per cent of these scans revealing vulnerabilities. Extrapolating that sample to the circa four billion connected devices that exist globally, BullGuard claims this could equate to around 185 million vulnerable IoT devices.
So a potential attack that used 10% of the resource would be 100 times larger than the Dyn DDoS. And copy-cat attacks are already happening, one hit Singapore-based network StarHub yesterday.

Desperate suggestions for mitigating the problem range from white-hats taking over the Things (a suggestion that's already been acted upon for other botnets):
Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the “bad guys” Mirai can do it, a “good guys” Mirai—perhaps even controlled by the FBI—could do the same.
This isn't really an option:
given that the Mirai botnets are comprised of several disparate devices, made by several different companies, it’d be extremely hard to push an update that works for all of them, according to security researchers.

“I suspect a perfect white-hat fixer-upper virus is unfeasible,” Emin Gun Sirer, a professor at Cornell University, told me.

The real challenge of this whole scenario, however, is that despite being for good, this is still illegal.
Intel's proposal is equally impractical:
As for coping with the threat we face now, courtesy of millions of pathetically insecure consumer IoT devices, Schrecker’s proposed solution sounds elegantly simple, in theory at least: “Distribute, for example, gateways. Edge gateways that can contain a DDoS and are smart enough to talk to each other and help contain them that way.”
ISPs haven't deployed even the basic BCP38 filtering, so they're going to buy and deploy a whole lot of new hardware? But Intel's Schrecker is right about the threat:
If the operators behind these IoT-enabled botnets were to “point them at industry” instead of smaller targets such as individual journalists’ websites, as happened with infosec researcher Brian Krebs, the impact on the world economy could be “devastating”, he added.
In other news of the Things, flaws in the protocol used to control most drones allow attackers to seize control from their owners, opening up lots of exciting new possibilities:
The widespread availability of hijacking devices comes with a tremendous number of consequences, some of them unsettling. One of the more frightening scenarios is someone using a device to hijack one or more devices that are in close proximity to a large number of people. Drones are capable of carrying large amounts of fuel that can burst into flames upon impact, as evidenced in this video.
Although most drones have yet to be connected to the Internet, many industrial control system are. And of course they have vulnerabilities:
A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks.

Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity Pro. “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” Indegy warned in an advisory.
Mike Ahmadi, global director of critical systems security at Synopsys, added: "Security issues in control systems are widespread and continue to grow in numbers as researchers focus on uncovering them.”
Nice Internet you've got there. Shame if anything happened to it.


David. said...

What could possibly go wrong?

"Earlier this year, developers began rolling out the Web Bluetooth API, which is a foundational component of the evolving Web of Things, the application layer of the IoT. With Web Bluetooth, any Bluetooth Low Energy device—think smart lightbulbs, appliances, health monitors, door locks, and more—will be able to connect to the web through your browser.

Web Bluetooth enables you to control your Bluetooth devices directly from your browser without the need for a special app. But it also also lets you give websites permission to connect to your IoT devices."

David. said...

Andrew McGill's We Built a Fake Web Toaster, and It Was Hacked in an Hour reports on a honeypot "toaster":

"I switched on the server at 1:12 p.m. Wednesday, fully expecting to wait days—or weeks—to see a hack attempt.

Wrong! The first one came at 1:53 p.m.
The next hacking attempt, from a different IP address and using different login credentials, came at 2:07 p.m. Another came at 2:10. And then 2:40. And 2:48. In all, more than 300 different IP addresses attempted to hack my honeypot by 11:59 p.m. Many of them used the password “xc3511,” which was the factory default for many of the old webcams hijacked in last week’s attack.

The last attempted hack came 5 minutes ago, using the username root and the password root. (Yes, those are live figures; they were updated when you loaded this page.)"

This reinforces my point that there are already enough insecure Things out there to cause disaster. Solutions aimed at improving the security of new devices are good, but they don't fix the problem. and they will take time to deploy, during which more insecure devices will be connected.

David. said...

Its not just Bluetooth. Ultrasound is another malware channel:

"And this is just one of the problems Mavroudis and his colleagues discovered when examining the vulnerabilities of ultrasound-based technologies.

One worry is that these programs may not just be picking up ultrasound. “Any app that wants to use ultrasound needs access to the full range of the microphone,” says Mavroudis. That means it would be possible, in theory, for the app to spy on your conversation.

The ultrasonic audio beacons that these apps pick up can also be imitated. This means that hackers could create fake beacons to send unwanted or malicious messages to your device, like malware. Mavroudis and his team realised that this would be possible when they found evidence of people trying to cheat a shopping rewards app by recording the ‘silent’ beacons (or just downloading recordings from the Internet) and then playing them to the app to supercharge their reward points. “That was when we realised how easy it would be to spoof these,” he says."

David. said...

Chris Ducket at ZDnet uses the Australian census disaster as a way to comment onpress coverage of DDoS attacks:

"As a multinational giant had its incompetence and fragility exposed -- and an almost AU$10 million contract turned into AU$30 million in remediation -- a discussion could have been had around outsourcing, getting value for money from taxpayer funds, consistent chipping away of the public sector, privacy implications, and whether an online Census is even a good idea at all.

But instead, as a quick Google search will show, the coverage instead focused on some cheap laughs to do with a router not restarting properly, thereby completely missing the main point that the only reason the router restarts were needed was because they were being hosed as a result of an awful DDoS mitigation strategy put in place by IBM.

A chance to give some much-needed education to the wider public on what a distributed denial-of-service attack is, and why it is not one of the fabled "hacks" that appear on news bulletins occasionally, was lamentably missed again."

David. said...

That was fun, lets join in! The Mirai copy-cat botnets are here.

David. said...
This comment has been removed by the author.
David. said...

Eyal Ronen et al's IoT Goes Nuclear: Creating a ZigBee Chain Reaction describes how they built an IoT worm infecting Phillips Hue "smart" lamps:

"The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already)."

David. said...

Apparently, Mirai is mostly DVRs, leaving lots of other juicy targets for the other botnets.

David. said...

Via Fortune, Akamai reports that:

"the overall number of DDoS attacks has not risen significantly in 2016, but that the force of these attacks is increasing. Akamai says it confronted 19 “mega attacks” in the third quarter of this year, including the two biggest it has ever encountered in history."

and concludes:

"the Internet of Things problem may just be beginning. ... “There are many more IoT devices in existence that share similar vulnerabilities and will provide tempting targets to attackers. Until IoT security becomes a primary concern for manufacturers, this type of malware will be increasingly common,” says the company."

David. said...

Cringeley weighs in with the idea of gatewaying between the IoT and the rest of the Internet. Missing the point that insecure Things aren't just a problem for the rest of the Internet, but also for the Things. A point not missed by Danny Palmer at ZDNet.

David. said...

It is important to remember that cars are now Things in the Internet:

"By infecting a Tesla owner's phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

Previous attempts to hack Tesla cars attacked the vehicle's on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.

Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car's firmware, they have chosen to go after Tesla's Android app that many car owners use to interact with their vehicle."

The app stores the user's password in the clear.

David. said...

Correction: what is stored in the clear is the OpenID token, not the password.

David. said...

According to Catalin Cimpanu at BleepingComputer, Mirai is now for sale. You Can Now Rent a Mirai Botnet of 400,000 Bots reports that:

"Popopret and BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device. ... Propoet also advertised another new feature, which is the ability to bypass some DDoS mitigation systems by spoofing (faking) the bot's IP address. Previous versions of the Mirai malware didn't include this feature."

The minimum rental period is two weeks:

"price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks."

David. said...

The 400K botnet is so yesterday. Today, its a potential 5M. Dan Gooding at Ars Technica reports that Newly discovered router flaw being hammered by in-the-wild attacks:

"The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes."

"The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world."

David. said...

Dan Gooding reports that There’s a new DDoS army, and it could soon rival record-setting Mirai:

"The as-yet unnamed botnet was first detected on November 23, the day before the US Thanksgiving holiday. For exactly 8.5 hours, it delivered a non-stop stream of junk traffic to undisclosed targets, according to this post published Friday by content delivery network CloudFlare. Every day for the next six days at roughly the same time, the same network pumped out an almost identical barrage, which is aimed at a small number of targets mostly on the US West Coast. More recently, the attacks have run for 24 hours at a time."