Mirai targets IoT devices and were implicated in earlier DDoS attacks.
Mirai targets IoT devices and were implicated in earlier DDoS attacks.

Mirai botnets like the ones recently used in distributed denial of service (DDoS) attacks on a French internet service provider and a well-known security researcher were at least partly responsible for the waves of DDoS attacks against Dyn DNS that took down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other websites Friday, according to a Flashpoint blog post.

Mirai does its dirty work on Internet of Things (IoT) devices and “Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks,” the post said.

Flashpoint noted that while “Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and [French Internet provider] OVH.”

After “Anna_Senpai,” the hacker behind the Mirai botnet used to attack Krebs, released the malware's source code online, “copycat hackers have used the malware to created botnets of their own in order to launch DDoS attacks,” making it difficult to draw a relationship between Friday's DDoS attacks, which were still ongoing well into the evening, and previous attacks where Mirai botnets were used.

Chris Sullivan, general manager of Intelligence/Analytics at Core Security Inc., said “the really frightening part” of the Friday attacks, which he called a “new breed of very high volume DDoS,” is not that organizations  “will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco.”

Current defenses don't cut it against attacks that exploit the security shortcomings of devices like baby monitors and thermostats. “IoT devices don't have the memory and processing to be secured properly, so they are easily compromised by adversaries and it's very difficult to detect when that happens,” Sullivan said in comments emailed to SCMagazine.com.

Justin Fier, director of cyber intelligence and analysis at Darktrace, said that while IoT makes life easier “it's also putting us at risk—as it's become painfully apparent how easy it is to hack them.” In comments emailed to SCMagazine.com, Fier called for “better visibility into new technology and the environment in which it's becoming entrenched” otherwise, “we'll continue seeing a pool of vulnerable devices that can be harnessed for these malicious botnet attacks.”