China-made IOT devices infected by the malware Mirai become the main force of recent DDOS attacks
September 20, the personal website of security name Brian Krebs was hit by a large-scale DDOS attack with a traffic of 665Gbps and lasting for many days , And was eventually forced to go offline for several days. On September 21, the French network service provider OVH was also attacked by DDOS. The technical director of OVH said that the peak attack traffic had reached 1Tbps.
The Internet service provider Level3 investigated the attack on the Krebs website and stated that the DDOS attack used a "botnet" composed of as many as 1.5 million compromised devices, most of which were produced by China's Dahua (DAHUA) company. Webcam. Hackers used these online devices to continuously visit the Brian Kreb website, which caused a large amount of request traffic and paralyzed it. FLASHPOINT, which analyzed and investigated the two DDOS attacks, claimed that the network camera equipment produced by another Chinese manufacturer Xiongmai Technology was also used by hackers to launch DDOS attacks due to vulnerabilities. Security provider Akamai also confirmed that the source of the DDOS attacks on the Krebs website and OVH may be the same batch of botnets infected by the malware Mirai.
Finally, other Internet companies such as Level3, FLASHPOINT, and F5 have successively confirmed that hackers used the malware Mirai to infect Internet of Things (IOT) devices for DDOS attacks.
1 DDOS attacked IoT zombie army composition: a large number of IOT equipment produced by Chinese camera manufacturers
produced by Dahua Company
A Level 3 investigation found that most of the botnet equipment that attacked the krebs website came from Taiwan, Brazil, and Colombia. Most of these equipment were made by the Chinese camera and DVR manufacturer Dahua Company (DAHUA). Camera equipment, more than one million such network equipment exposed on the Internet are being infected into a powerful botnet.
Level 3 Chief Security Officer Dale Drew explained that hackers used camera vulnerabilities to invade and control a large number of DAHUA devices, under the hardware linux system Generate random users and plant malware to form a botnet. In addition, most of Dahua’s early network devices have default usernames and passwords.
According to Level3 Chief Security Officer Dale Drew, the vulnerability is difficult to resolve remotely unless the hardware is replaced. They have informed Dahua in time. Although Dahua has not yet made an official response, it is working hard to solve this problem.
Network camera equipment produced by Xiongmai Technology
In addition, according to the analysis of FLASHPOINT, which participated in the investigation, some of the botnets involved in the DDOS attack were DVR manufacturer Xiongmai Technology (Hangzhou, China). The network camera equipment produced by XiongMai Technologies) has built-in the same default username and password combination root/xc3511, and does not allow users to change it, and can be accessed by remote telnet or ssh. It is initially estimated that more than 500,000 such network devices have this security risk.
Picture: Global distribution map of Xiongmai technology equipment
FLASHPOINT also claims that Xiongmai’s NetSurveillance and CMS series software exist The authentication vulnerability can be bypassed. After accessing the login interface:
Figure: CMS authentication bypass vulnerability analysis
will trigger the DVR.htm page, which can be combined with CVE-2016-1000246 and CVE-2016-1000245 Successfully bypassed, this kind of security vulnerability can easily allow hackers to build a huge botnet. For details, please refer to the Flashpoint technical analysis report.
2 The main culprit of DDOS attacks: Malicious software Mirai
According to Level3 and other investigative agencies, the malware used in DDOS attacks mainly targets embedded Linux hardware IOT devices. According to the analysis of data security company Imperva and application delivery network service provider F5, the main malware that infects IOT devices to form a DDOS botnet is Mirai.
Imperva detected a series of GRE flood attacks on the Mirai botnet on August 17, and the peak traffic of the attack reached 280 Gbps and 130 Mpps. After the above two attacks, Imperva investigated 49,957 Mirai-infected device IPs around the world and found that the Mirai botnet has spread to more than 164 countries, even in remote countries such as Montenegro, Tajikistan, and Somalia.
This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/：http://www.internetweblist.com/Web_defense/28678.html