Skip Navigation LinksASIS International / About ASIS / Who We Are / What's New / Mirai Attack - Incident Summary and Recommendations

Mirai Attack - Incident Summary and Recommendations

04 November 2016

​The information below is provided by ASIS IT Security Council.

In Ocober 2016, a considerable portion of the United States and some parts of Europe were hit with massive, distributed denial of service (DDOS) attacks. Hackers were able to effectively take down the internet by overloading the capacity of supporting providers. Their "army" was a multitude of smart devices (connected to the internet with default passwords) that had been infected with purpose-written malware.

Details on the October 2016 Mirai Attack
The attack used a massive number of lookup requests to overwhelm the Domain Name System (DNS) servers, which caused them to become non-functional. When this happens, those companies that have an Internet presence are not able to receive the traffic because their IP address cannot be found, o they are effectively cut off due to this gridlock. In this way, the attackers able to disrupt traffic to a significant number of sites with one coordinated attack.

Dyn is one of several companies that provide DNS services. These DNS services are used to resolve web address Uniform Resource Locators (URLs), the www.(examplewebsite).com address that we are familiar with, to IP addresses that are computer-readable in order to connect to the proper servers to deliver the desired website content. Every time someone navigates to a new webpage, lookup requests are sent to a DNS server and that server delivers the corresponding IP addresses.

When an attacker launches this type of attack from a single server it is referred to as a Denial of Service (DoS) attack, but a much more effective attack is launched when the attacker can orchestrate a simultaneous DoS attack from many different servers, as was the case with the Mirai botnet. This DDoS attack uses a network of slave computers or robots that are controlled by a single master. The term "botnet" is used to describe this network of robot computers, which are typically enlisted via an infection of malicious software.

What makes this event particularly noteworthy is that the bots appeared to be almost entirely comprised of hacked Internet-of-Things (IoT) devices. And perhaps even more alarming is that they tended to consist of physical security devices such as IP security cameras and digital video recorders (DVRs). 

The Mirai botnet sought out IoT devices that still had default logins, used those defaults to access the device, and then installed the malware that was used to launch the DDoS attack itself.  What people need to realize is that these IoT devices that turn on and off our lights, unlock our doors, monitor our refrigerators, control our HVAC systems, and so much more, beneath the device cover are computers, and those computers are vulnerable to malicious code.

The number of consumers shopping for smart home devices has increased six-fold over the past year, despite rising concerns that the gadgets are vulnerable to hackers, according to the John Lewis Retail Report released in late October, 2016. The report shows a sharp rise in sales of intelligent lighting and heating systems, air purifiers, and refrigerators. Increased demand for devices that promise to make home life easier has come despite repeated warnings from cybercrime experts that the new technology may leave them vulnerable to having their bank details stolen.

"Unlike traditional laptops and computers which are usually protected with encrypted passwords, many passwords for smart devices are generic and non-encrypted, meaning they are much weaker," says Kaspersky Lab security expert David Emm. 

"Once hackers have access, they can use a smart device to look at smartphone data, gain access to bank details, and potentially cut off services en masse," says Emm.

There are many specific and detailed recommendations that can be made, including:
  1. Device owners need to be sure equipment is installed behind a well-managed firewall, be sure to apply updates and patches, and to cycle out equipment that is no longer supported by the manufacturer.

  2. System installers need to make sure default username and password have been changed on all devices. This should be demonstrated by the vendor to the end user's representative.

  3. Manufacturers need to make sure their products use suitable access controls, do not include embedded backdoors and do not send information via unencrypted channels. The manufacturer's policy on this matter should be available to the vendor and client.

  4. Apply good network security practices including a defense-in-depth strategy.

  5. Document all electronic assets with an IP address and audit the security state of each electronic asset.

  6. Design and test restoration procedures to insure seamless, accurate operations.

  7. Review risk assessments based on factors outlined above.

  8. Implement and validate mitigation measures to minimize damage from similarly-undesirable occurrences.

  9. Incorporate independent, objective professional planning and review of the above to maximize effectiveness while minimizing the remaining exposure to risk.

  10. Also, have your key players involved in international, regional and local associations (like ASIS-International) and make sure that they stay current with the technology that makes the Internet successful…and the stuff that messes with the opportunity to have smooth operations.

The ASIS IT Security Council (ITSC) has been working with Underwriters Laboratories (UL) as part of their Cybersecurity Assurance Program (CAP).  The UL CAP aims to minimize risk through the UL testing, training and certification programs with an emphasis on cybersecurity of consumer technology, industrial control systems, and medical devices.  The goal of the program is to help manufacturers develop more secure products and support purchasers of these products who want to mitigate risks by sourcing those validated by a trusted third party.

Helpful Links and Resources Relating to Mirai and Related Subjects: