Security Experts:

Mirai Botnet Takes Down Internet in Liberia

Mirai, the Internet of Things (IoT) botnet that has recently fueled multiple large distributed denial of service (DDoS) attacks, is now targeting the Liberian infrastructure, taking down the Internet for the entire country, researchers warn.

The Mirai botnet made it to the headlines in September, after it was used in a 665 Gbps DDoS attack against Brian Krebs’ blog, along with at least one other botnet. Mirai’s source code was released online in early October, which resulted in the botnet being increasingly used in DDoS attacks, including a massive atttack against Dyn’s DNS infrastructure.

Mirai has already infected devices in 164 countries, which doesn’t come as a surprise, since hundreds of thousands of IoT products were found vulnerable to it, mainly because they use default, easy-to-guess login credentials

With Mirai’s source code available online, anybody can download it and launch attacks, and it seems that this is exactly what is happening right now, although few of the many new Mirai botnets are indeed noteworthy. One of them, security researcher Kevin Beaumont says, is a botnet dubbed #14, which is attacking significantly bigger targets than just Minecraft servers and websites.

One of the large targets this botnet is going after is the infrastructure in the nation of Liberia. The West African country has a single Internet cable, installed in 2011, co-owned by two companies, and serving around 6% of the population.

Because of this setup, there is a single point of failure for Internet access, and the DDoS attacks from the botnet managed to disrupt not only the availability of websites hosted in the country, but also Internet access for users there.

“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” Beaumont notes.

The security researcher calls the botnet “Shadows Kill”, because it is capable of sending messages, as revealed by the Mirai Attacks Twitter account, which delivers real-time reports on monitored attacks. Beaumont also says that the botnet’s operators appear to be merely testing DDoS techniques, while continuing to target Liberia.

In an emailed commentary, Thomas Pore, Director of IT and Services for Plixer, told SecurityWeek that, if the botnet is merely testing its capacity by taking down the Internet in Liberia, then attacks against larger countries such as the United States might emerge before the end of the year.

“Weapon testing is defined as experimentation of conceptualization for validity. Historically, weapon testing has been used as a scare tactic to prevent war, but also to correct any design flaws. The recent report of “Botnet #14”, a Mirai botnet, potentially sharping its weapon by issuing large scale volumetric attacks for short durations against Liberia could indicate that it is weapon testing and made an attempt to go unnoticed, because “why Liberia, for only 1 second?”.

It was reported that Liberia was seeing short attacks up to 500 Gbps, and it’s hypothesized that it is the same operator that took Dyn down recently. An attack of that size could definitely take a small country down and perhaps Liberia is just the testing ground for something larger. If Botnet #14 is “weapons testing” with Liberia, it’s possible that the USA will see a massive sustained outage of over 4 hours before the end of the year,” Pore said.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, also told SecurityWeek that the attacks on Liberia appear to be part of a testing process.

“The DDoS attack on Liberia seems to match earlier predictions about Mirai’s (or its owners’) intentions. Start small, experiment, and continue testing capabilities on increasingly large and more interesting targets: First a blog, then a hosting provider, then a DNS provider, and now a small country.  As for future likely targets, I can imagine other smaller and more notable countries – North Korea, for example – getting their Internet connections ‘stress’ tested. Perhaps even a resurgence of extortion-based DDoS attacks on smaller retailers and other online businesses,” Grossman said.

He also noted that Mirai continues to get stronger, because the vast majority of the IoT-devices owners that make up the botnet have no idea that they are infected and that they should apply patches. Some might not even care, while a manufacturer recall would not have a real impact on the situation, Grossman points out.

“As far as what to do about Mirai, if anyone would ‘strike back’ at the botnet and had the capability to do so, in order to disable it in self-defense, a small country like Liberia that’s under attack would not be at all surprising. And should Liberia, or anyone else do so outside of law enforcement, it would be large precedence,” he concluded.

As Cigital’s Jim Ivers points in a recent SecurityWeek column, the issue of having large numbers of poorly secured devices with computing power connected to the Internet has been theorized before. A rough translation of “Mirai” from Japanese would be “future,” and the botnet has shown what that future could be.

“If Mirai means “future,” then its arrival certainly leads us to ask what the future holds. I foresee lots of experimentation with evolving attacks using IoT devices as new devices are infiltrated. I predict lots of knee-jerk reactions in the form of poorly conceived legislation as the government tries to run in front of the avalanche. I see a call toward sanity, building some basic security hygiene into devices and the testing of associated software,” Ivers says.

Just last week, a newly discovered attack vector against the Lightweight Directory Access Protocol (LDAP) protocol was disclosed, which could result in terabit-scale DDoS attacks

view counter