Mirai Back Story
Mirai was the botnet that was responsible for the largest DDoS attack to date. Some said this botnet strain was considered “unsophisticated” but one could argue that it was brilliant in its simplicity. This boutique malware scanned IP addresses looking for specific open network ports and used brute force to introduce a list of default usernames and passwords. Once the victim source was infected, Mirai would disable remote ports and attach itself to the botnet.
Mirai was able to elude security systems from the simple to the sophisticated, with very little resistance. As the IOT grows, it presents challenges and requires network managers to ensure a proper layered security approach. For most of us this starts at the perimeter. Every network has a firewall and it is the tool used to impose your will onto unwanted connection requests and, if you deem necessary, impose restrictions on the offending source. Despite this, Mirai was able to infiltrate networks. The ability of this malware to spread is just another example of the need for complementary solutions to firewalls and a rethinking of perimeter defense strategies.
Challenges for Firewalls
Some firewalls and next generation firewalls (NGFW) may shun IP's once port scans are detected, while others have no idea, and simply drop the request. This non action allows the probe to continue and eventually reach its target. With Mirai allowing the probe to continue proved to be problematic. Once Mirai landed it executed its instructions and infected the system. Many seem to believe this was simply an IoT thing (camera, DVR, etc), but it is not. Wikipedia describes Mirai perfectly:
Mirai (Japanese for "the future", 未来) is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. WikiPedia
While the Mirai flaw was predominantly reported on IoT devices like DVR systems, and cameras, the news of the malware panicked many to turn off IoT devices in their homes. But there were plenty of other devices infected other than toasters, refrigerators, and TV’s. Mirai exploited every lazy bad thing we ever did with a username and password, and it is reported to have done all of its damage exploiting exactly sixty-six passwords. While we are quick to blame poor IoT development, some forget the NAT’ing of public to private ports which let Mirai in was a major contributing factor. We can’t blame IoT manufacturers for that. And so many firewalls failed to detect what was going on inbound, and outbound.
The point is, that the scanning source in most cases was not prevented by the firewall from continuing, and was ultimately permitted to the victims open port. There could be all sorts of reasons why there wasn't harsher penalties on the offending source addresses which were digging in network areas they weren't supposed to. Some examples of these reasons are as follows:
- Attempting to shun each scanning source address when it's in areas it's not supposed to be creates the risk of firewall latency because of the amount of rulesand the complexity of rules that would be required to do this effectively.
- The firewall may not even have the ability to shun
- The IoT device was placed outside of the firewalls
- The IoT device was placed into a DMZ
- The admin created a 1-1 NAT rule
About PacketViper Sensors and Lures
PacketViper has sensors and port lures within the application which detect, alert to, and actively prevent offending source addresses. An end user can place sensors to monitor services like www, vpn, smtp, exchange, or public IP addresses which are not in use to identify out of scope activity. These sensors can be set to alert, auto-block, and slow down offending connection requests geographically, by business entity, or network.
Lures serve a different purpose, and are designed to snare offending source addresses by deploying decoy ports. These techniques create an undetectable virtual minefield of traps which the attacking source must navigate through.
With respect to threat intelligence, PacketViper global sensor arrays use similar techniques and serve a few purposes, two of which will be briefly explained this article. Our sensors are encamped across the world, and act as an advanced warning system for our customers while capturing edge intelligence defensively and offensively. The information is organized daily and pushed to PacketViper customers through our Global Network Lists, which customers can easily factor into their filtering rules and perimeter defense.
PacketViper customers who have implemented recommended best practices were able to fend off Mirai during the infection phase, while gaining unique intelligence perspective during the the infection.
Mirai Spreading Using Surveillance Systems
Mirai scans telnet and SSH ports, then brute forces username and passwords. Over the past few weeks we have seen an increase in these acts throughout our sensors so we started an investigation into the sources of these probes based on patterns observed in PacketViper.
During our investigation we found the attacking sources where dispersed across many different countries. The sources where discovered by our sensors when they performed brute force attacks on decoy ports. During our investigation we found many of the attacking probes landed on surveillance systems.
The bulk of the compromised systems we uncovered came from CP Plus, a leader in Surveillance Products, which offers a wide range of cameras in its surveillance portfolio. As listed on their site their verticals include Banking, Hospitals, Education, Hospitality, and Law Enforcement to name a few. Our research shows that CP Plus devices are propagating Mirai, along with other exploited systems such as Home Thermostats, Commercial Heating and Cooling systems, IPMI management ports , and an assortment of cable routers
Screen Shots: taken during investigation of source address that were found probing PacketViper sensors:
|NetSurveillance By CP Plus||IVSWeb 2.0||Network Video Client|
|Unknown (Camera/DVR)||SuperMicro||Unknown (Camera/DVR)|
|Unknown (Cable Router/Device Behind)||Honeywell||FlirThermal|
|EPower Gateway (Device Behind)||Comtrend Wireless Extender||ZyXEL (Cable Router/Device Behind)|
We discovered each of these systems, or a device directly behind them made attempts into one or many of our global sensors which prompted the investigation. During our security analysis we found many of the surveillance systems still had defaulted usernames and passwords. Our analysis also revealed that each probing source responded to at least one or all of the following network ports:
*We have not inquired with any of these vendors about warnings they might have provided their customers.
Protecting Your Network
Malicious botnets devastate downstream victims, as was the case with Mirai. But let's look at this from a different point of view. Think from the malware infection phase, when the bot is first starting to spread. We have to all remember that bots are individuals until they start gathering together to a size where they can be weaponized, like Mirai. It is this infection and proliferation phase we have to be prepared for at all times.
Many bots are indiscriminate scavengers and thieves looking for an opportunity. It is the goal of cybersecurity to not provide the opportunity. Coming back to the idea of rethinking the perimeter, sometimes it is not enough to rely on the firewall inspection of the signature, reputation and behaviors of the connection request. This level of protection still creates vulnerability because one must expose network ports to the world at large.
At PacketViper, we believe in creating a virtual minefield in which only you have the map. Creating narrow paths and straight lines to publicly available network services accommodates your business, and makes navigation of random indiscriminate acts treacherous, as it should be.
The reason why PacketViper customers did not contribute to this botnet were simple;
- They had PacketViper recommended best practices enabled
- They utilized PacketViper site specific threat intelligence and did not rely solely on crowd sourced intelligence
- They used PacketViper to impose stiff penalties on offending sources
This botnet that 'broke the internet' did not impact PacketViper customers. PacketViper customers were not breached and they did not participate in the botnet army. At first, they didn't know they blocked the Mirai bot - they just knew that too many telnet & SSH requests were trying to access areas of the network they shouldn't have. They blacklisted the source addresses of those requests and discovered new Mirai infected bots/sources trying to replicate. This a great example of how PacketViper complements firewalls and crowd sourced reputation, signature, behavioral, or algorithmic intelligence.