On the 21st, a large-scale internet outage began in the eastern United States and swept across the country. The well-known reason is that network service providers represented by Dean and Amazon suffered a DDoS attack targeting DNS services from IoT devices controlled by malicious code such as Mirai. Subsequently, Singapore’s StarHub and even those within our territory were also attacked.
According to analysis by MalwareBenchmark:
1) Controlled devices are now spread across 164 countries globally, with Vietnam topping the list at 12.8%, followed by Brazil at 11.8%, the United States at 10.9%, China at 8.8%, and Mexico at 8.4%. Countries such as South Korea, Taiwan, Russia, Romania, and Colombia are among the ten most affected. Remote areas such as Montenegro, Tajikistan, and Somalia have also not been exempt.
2) Currently, IoT controlled devices include web servers, routers, modems, network-attached storage (NAS) devices, CCTV systems, and industrial control systems, exceeding one million in number;
3) Malicious codes controlling IoT devices include: Mirai, Lizkebab, BASHLITE, Torlus, Gafgyt, Luabot, DYREZA, AppleJ4ck, CCTV, meat chicken MM, BillGates, Mayday, PNScan, Remaiten, etc.; (the same origin is evident, for example, Lizkebab, BASHLITE, Torlus, Gafgyt originate from ShellLock)
4) Exploited vulnerabilities include: weak passwords, SSHowDowN Proxy, Bash Shell backdoor, etc.;
5) The traffic of a DDoS attack can exceed 1 Tbps;
6) Products from manufacturers like Hikvision, Dahua, and Xiongmai using Huawei HiSilicon chips and related motherboards are the main victims;
7) Some malicious codes have both propagation and penetration functions and can even load more functional modules; (for example, Mirai’s load module provides user-customizable features, and DYREZA malicious code can spread a large number of penetration tools through routers)
8) New variant viruses targeting IoT devices are rapidly increasing; (especially after the source code of Mirai was leaked, such as Hajime)
Domestic infection situation: (no need to explain much, you understand)
So there are a few more points to mention about the behind-the-scenes Pr0.s:
First: After the internet outage incident in the United States, the U.S. Department of Homeland Security, the European Commission, and others have stated that they will soon implement or strengthen existing regulations and policies in related fields. Therefore, whether this will lead to restrictive sales or enhanced reviews of products related to China, building trade “barriers” is worth paying attention to;
Second: Who is the mastermind behind this? Russia? ScriptKid from Hackforums? Anonymous? New World Hackers? It is still difficult to determine at this point. However, there are a few points worth noting:
After the source code of Mirai was released, there are definitely more than one hacker team capable of this;
From the analysis of these malicious codes’ C&C services.
These types of C&C servers are generally hosted in the cloud, especially at domain registrars, choosing companies that pay great attention to privacy protection. From Krebs’ analysis, there are hints that some domain service providers or cloud service providers may rent out DDoS services.
Distribution map of some of Mirai’s main C&C servers:
From the location of Mirai’s main control machines and the timing of the DDoS attacks, it is still impossible to determine the specific information of the attackers behind them. However, from some notes in Mirai that have circulated, it seems that certain hacker organizations in Russia have a certain connection with Mirai (this absolutely does not indicate any connection with Russian political forces).
Just like: Many of Bashlite’s control servers are in the United States, it cannot be confirmed that it was initiated by the U.S.
From the fact that the attacks currently have no clear objectives or demands, such behavior should have little to do with geopolitics, beliefs, nationalism, and extremism, unless these attacks are merely tests; Pr0.s believes that these attacks are likely tests or “muscle flexing” by the behind-the-scenes players; their real intentions and final actions have yet to be exposed.
The specific reason is that hacker teams now possess enormous attack capabilities, but for the U.S. and other targets, they have only released a fraction of their capabilities. (See, a few days ago, Pr0.s’ article, do you need millions of devices to take down the networks in the eastern U.S.?) And there will definitely be corresponding testing and estimation processes before implementing a massive DDoS attack.
However, there is no need to be overly nervous; hacker teams may never implement the final action, merely maintaining their strength and adopting “deterrence”.
It is important to clarify that those capable of implementing such attacks are definitely team efforts~!
Please pay attention to the publication dates of the following articles and the relationship between the exposure of events~! Hehe
Related articles in the subscription account (click to read)
Do you need millions of devices to take down the networks in the eastern U.S.?
Analysis of malicious code samples from the LINUX REMAITEN family
OpenSSH vulnerabilities from twelve years ago are being exploited by IoT attackers
Analysis of the malicious code mirai that is rampant in the IoT – part of Mirai
Analysis of the malicious code mirai that is rampant in the IoT – Loader
Massive infection of internet devices by “bots”, CNBC releases a ranking of infected countries
Rapid growth of malicious code used in DDoS attacks launched by hijacked IoT devices
Brief analysis of the BASHLITE family of malicious codes infecting a million IoT devices
Over a million IoT devices infected by the BASHLITE family of malicious codes
