After a large portion of the internet was taken down about 5 days ago, attacks have since struck closer to home. Two waves of cyber attacks affected Starhub’s network on 22 and 24 Oct. They announced yesterday that the attacks originated from their customers’ compromised machines, which were recognized as legitimate requests.
The number of affected devices is staggering. Malwaretech has an overview of the affected nodes, and it looks like a global epidemic.
Mirai has two core functions. It recruits agents (IoT devices) that can be easily accessed using factory default username and passwords. It then coordinates a strike with the agents performing HTTP floods and network (OSI layer 3-4) DDoS attacks.
How can Mirai access my devices behind a firewall?
As it is, all of us have a bunch of devices connected to our network at home. Some devices are inherently less secure. A bunch of these cheap devices, CCTV cameras, etc, have essentially hard-coded username / password access that are communicated over protocols such as Telnet / SSH.
It used to be required to configure port access to allow your devices to communicate out to the rest of the Internet. The devil here is actually UPnP. In attempts to make devices more user friendly, these devices are now allowed automatically to open port access through your router. So yes, if you have a security camera / baby monitor at home, someone might be watching. If you are worried, time to switch off UPnP.
Vulnerability – Almost anyone can be an attacker
The Mirai source code is published – and you can find it on Github and other sources. It’s double edged. With the source code made public, new Mirai attacks could be experimental attacks conducted by new users / hackers. Likely, these are signs of things to come.
The attack uses a list of 61 passwords which could belong to hundreds of different manufacturers. Fixing them would not be easy, and is probably impractical. At the ISP level, they can limit the attacks somewhat but as Starhub indicated, it would be challenging to filter out requests that originate from within their own network.
Check your network
Don’t contribute to the botnets.
- Avoid using default / generic passwords.
- Scan your IP for port access on the usual suspects, SSH:22, telnet:23.
- Check your port forwarding details and remove access if not required.
As IoT is set to expand exponentially over the next few years, the Mirai attack is a timely reminder for manufacturers NOT to ignore basic security practices.