Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Mirai-Based Botnet Launches Massive DDoS Attack on Streaming Service

A Mirai-based botnet has recently launched a massive, 13-day long distributed denial of service (DDoS) attack on a single online service, Imperva reveals. 

A Mirai-based botnet has recently launched a massive, 13-day long distributed denial of service (DDoS) attack on a single online service, Imperva reveals. 

The botnet, which was observed coordinating 402,000 different IPs, most of which are apparently located in Brazil, was leveraging Internet of Things (IoT) devices with opened ports 2000 and 7547, ports that have been historically associated with devices infected by the Mirai malware.

The attack, Imperva says, peaked 292,000 RPS (Requests-Per-Second), being the largest Layer 7 (application layer) assault the Internet security company has seen to date. 

To mask their attack, the actor used a legitimate User-Agent that resembled the one used by the service’s own application (an organization in the entertainment industry). 

“For a time, the attack targeted the authentication component of the streaming application. We are not sure if the intent of the attackers was to perform a brute force attack or DDoS attack, but without an accurate mitigation mechanism, the result was the same — denial of service,” Imperva notes

While specific protections could prevent account takeover attacks, a botnet of such scale can perform a “slow and low” assault, where “each IP tries a few logins, goes inactive, and then tries a few more.” With a low access rate, the botnet mimics legitimate login attempts are remains under rate limit policies.

The botnet launching this attack is based on Mirai, the IoT malware that first emerged in 2016. The threat had its source code leaked online in October 2016, and a large number of variants have spawned from it ever since, including Echobot, Wicked, Satori, Okiru, Masuta, and others.

More recently, security researchers have observed Mirai variants that target devices specifically intended for businesses, suggesting a shift of focus on enterprise environments. 

The malware first compromises improperly protected or vulnerable IoT devices, and then uploads malicious code to ensure they can receive commands from the command and control (C&C) server. 

“Mirai source code contains only DDoS functionality, but nothing prevents the attacker from including other malicious software to take advantage of compromised devices and perform additional attacks, such as brute force,” Imperva points out. 

Related: Mirai Offspring “Echobot” Uses 26 Different Exploits

Related: New Mirai Variant Targets More Processor Architectures

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Taiwan-based networking and storage solutions provider Synology has informed customers about the availability of patches for several critical vulnerabilities, including flaws likely exploited recently...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...

IoT Security

Censys finds 30,000 internet-exposed QNAP appliances that are likely affected by a recently disclosed critical code injection vulnerability.