Security man Krebs' website DDoS was powered by hacked Internet of Things botnet

Internet of Amazingly Insecure Tat? That's the one


The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet.

"Attack appears to include numerous IoT devices, including security cameras. Still itemizing them," an Akamai spokesman told El Reg by email.

The attack "included substantial shaped traffic (traffic directly controlled by that botnet operator), rather than merely reflected, amplified unshaped traffic," he added.

Krebs' website was taken down at his request after it had been receiving up to 620Gbps of malicious traffic. He thinks he was targeted because he is currently researching DDoS gangs.

Two people were recently arrested in connection with recent DDoS attacks, which may have been one outcome of Krebs' sleuthing, as he notes here.

DDoS mitigation firm Akamai, which had Krebs as a pro bono customer, struggled to cope with the volume of incoming requests and gave him two hours' notice of being kicked off their system.

The journalist – who said "I don't fault them [Akamai] at all" – asked his hosting provider to redirect his website to 127.0.0.1 to sinkhole all the malicious traffic, a move which KO'd his website, too.

Google later stepped in to provide DDoS mitigation through its Project Shield service, meaning Krebs' website is back up again.

Krebs said, on his blog, that the sort of DDoS mitigation protection Akamai gave him (until deciding not to) would cost between $150,000 and $200,000 per annum.

“Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes,” he added.

A story by Network World quoted Dave Lewis, Akamai's “global security advocate” as saying: “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks.” ®


Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Takedown should (in theory) see spam volumes shrink rapidly

Microsoft has bragged of downing a nine million-strong Russian botnet responsible for vast quantities of email spam.

The Necurs botnet, responsible over the years for quite a considerable volume of spam – as well as being hired out to crims pushing malware payloads such as the infamous Locky ransomware and Dridex malware – was downed by Microsoft and its industry chums following a US court order allowing the private sector companies to go in hard and heavy on the botnet.

Redmond's Tom Burt said in a blog post: "Necurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and 'Russian dating' scams."

Microsoft researchers figured out how an algorithm that generated new, unique domains for Necurs' infrastructure operated and was able to correctly guess six million domain names that would be generated over a 25-month period, it said. These domains were then reported to registrars so they could be promptly blocked.

Continue reading

Command 'n' control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

Europol-led op knocks offline 700 servers used to infect 'millions of computers'

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.

“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.

Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.

“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”

Continue reading

Kinda goes without saying, but shore up your admin passwords or be borged by this brute-forcing botnet

Publishing platforms, hosts being targeted by Stealthworker malware

Servers are being targeted with a malware attack that uses its infected hosts to brute-force other machines.

Known to Akamai researchers as Stealthworker, the infection preys on weak passwords then uses a massive arsenal of malware to overtake Windows and Linux servers running popular CMS, publishing, and hosting tools.

Akamai senior security researcher Larry Cashdollar (yes, that is his last name, and yes, he is tired of that joke) discovered the attack while operating an intentionally exposed Wordpress/MySQL container that for some reason was dealing in massive amounts of traffic.

"I log into the system and I see a ton of connections between my system and dozens of WP sites around the internet," Cashdollar told The Register.

Continue reading

Huygens if true: Dutch police break up bulletproof hosting outfit and kill Mirai botnet

Cops also Cruyff cloggy couple

Dutch police said in a translated news release that they have busted a local 'bulletproof' server hosting operation in a major takedown that also nabbed a pair of Mirai botnet operators.

The Netherlands' National Criminal Investigation Department and National Cyber Security Center operated jointly to track down and seize five servers that they say were being used as an underground 'bulletproof' hosting service for criminals.

The servers, housed at an unnamed data center in Amsterdam, had been the subject of thousands of complaints of malware infections as their operators had used the boxes to run exploits and control infected machines.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host. The duo, a 24 year-old man from Veendam and a 28 year-old man from Middelburg, had been offering the network of Mirai-infected devices as a for-hire distributed denial of service tool.

Continue reading

You're a botnet, you've got a zero-day, so where do you go? After fiber, because that's where the bandwidth is

Two-step attack seen on core systems

Researchers are warning owners of fiber routers to keep a close eye on their gear and check for firmware updates following the discovery an in-the-wild zero-day attack.

The team of Yanlong Ma, Genshen Ye, Lingming Tu, Ye Jin at 360 Netlab say that for more than two months it has been tracking active attacks on what it says is a two-part remote code execution attack being used to infect the networking gear from multiple vendors.

The exploit results in the attacker getting total control of the vulnerable Netlink Gigabit Passive Optical Networks routers and at least eight other OEMs. One of the steps, detailed by Exploit-db, is known to cause remote command execution.

"The function formPing() in the Web server program /bin/boa, when it processes the post request from /boaform/admin/forming, it did not check the target_addr parameters before calling the system ping commands, thereby a command injection becomes possible," Netlab's team explained.

Continue reading

Russian jailed for eight years in the US for writing code that sifted botnet logs for web banking creds for fraudsters

Harvested usernames, passwords used to drain victims' coffers

A Russian programmer has been sentenced to eight years behind bars in America for his part in a massive cybercriminal network that hacked into and drained victims' bank accounts.

Aleksandr Brovko, 36, was arrested in the Czech Republic in 2019 and extradited to America following a lengthy probe into Russian hacking rings. He was, according to the US government, “a member of elite, online forums designed for Russian-speaking cybercriminals to gather and exchange tools and services for crime.”

Brovko was born and raised in a middle-class Russian household and got a degree in systems engineering in 2006. However, according to court documents [PDF], he lost his job at a printing and advertising business “after a disagreement with the company’s management.”

Continue reading

Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards

Supply and demand in action

Crime has never been cheaper to pull off, so long as you're not particular about quality.

At least that's according [PDF] to a Trend Micro whitepaper on the cost of criminal services, which says over the past five years the prices for botnet rentals and credit card numbers have taken a nosedive.

"In 2015, generic botnets started selling at around $200 in Russian underground forums. Generic botnet prices today cost around $5 a day, and prices for builders start at $100," Trend said.

"United States credit cards were sold at $20 in 2015, but prices start at $1 in 2020. High-balance credit cards are selling for over $500 in 2020. Meanwhile, monthly crypting services dropped to around $20." A crypting service is one that encrypts and obfuscates malware and other malicious code to evade detection.

Continue reading

Newb admits he ran Satori botnet that turned thousands of hacked devices into a 100Gbps+ DDoS-for-hire cannon

One moron down, two to go

The script kiddie at the center of the Satori botnet case has pleaded guilty.

Kenneth Schuchman, 21, of Vancouver in Washington state, this week admitted [PDF] to aiding and abetting computer hacking in an Alaskan federal district court. In exchange for only having to confess to a single criminal count, and increasing his chances of a reduced sentence, Schuchman admitted he ran the destructive Satori Internet-of-Things botnets.

From July 2017 to late 2018, Schuchman, along with co-conspirators referred to by prosecutors as "Vamp" and "Drake," built and maintained networks of hijacked devices: these internet-connected gadgets would be infected and controlled by the gang's Satori malware, which was derived from the leaked Mirai source code. Schuchman, who is said to have gone by the handle "Nexus-Zeta," admitted to taking the lead in acquiring exploits to commandeer vulnerable machines and add to them the botnets, while "Drake" apparently wrote the code for the malware, and "Vamp" handled the money.

The money, you ask? Yes, the crew would launch distributed denial-of-service (DDoS) attacks from their armies of malware-infected gear for cash: you could hire them to smash your rivals and other victims offline by overwhelming systems with internet traffic from the Satori-controlled botnets.

Continue reading

Mirai botnet malware offspring graduates from uni, puts on a suit, slips into your enterprise

Isn't that what we all want for our kids, after all?

A descendant of the notorious Mirai Internet-of-Things botnet has apparently cast a wider net than its predecessors, potentially infecting systems normally found within enterprises.

Earlier this month, researchers at Palo Alto Networks' Unit 42 discovered and documented a fresh strain of Echobot, a botnet malware based on the leaked Mirai source code, that targets flaws in business tools.

Specifically, this Echobot nastyware build tries to exploit, in addition to previously targeted vulnerabilities, CVE-2019-2725 in Oracle WebLogic Server and CVE-2018-6961 in VMware NSX SD-WAN to pressgang more machines into its web.

The Palo Alto team said the expanding exploit arsenal is indicative of an effort by crooks to commandeer more than just the usual home routers and webcams and digital video recorders, and so on. While the original Mirai famously preyed on default credentials in consumer gear, Echobot and similar variants are creeping into the enterprise space.

Continue reading

Sign of the times: Mirai botnet strain fine-tunes itself to infect digital signage, projectors

Notorious code puts on suit and tie, goes after business kit

A strain of the botnet malware Mirai has emerged focused on a wider set of embedded internet-connected devices.

Researchers at Palo Alto Networks' Unit 42 this week stated that a variant of the notorious Internet-of-Things infector is now looking to hijack TVs and projectors designed to display information and adverts, as well as the usual broadband routers, network-attached storage boxes, and IP-enabled cameras and digital video recorders.

The malware, best known for its hefty distributed denial-of-service (DDoS) punch and rapid expansion in 2016 and 2017, previously spread mostly around poorly protected consumer IoT devices. Its source code was leaked in 2016, allowing any miscreant to launch their own incarnation of the software nasty.

This latest flavor of Mirai attempts to compromise WePresent projectors, D-Link video cameras, LG digital signage TVs, and routers from Netgear, D-Link, and Zyxel, by exploiting vulnerabilities in firmware, and rope them into its remote-controlled botnets. At that point, the commandeered equipment can be instructed from afar to find and infect other devices, launch DDoS attacks, and other mischief.

Continue reading

Biting the hand that feeds IT © 1998–2021