Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Mirai Botnet Takes Down Internet in Liberia

Mirai, the Internet of Things (IoT) botnet that has recently fueled multiple large distributed denial of service (DDoS) attacks, is now targeting the Liberian infrastructure, taking down the Internet for the entire country, researchers warn.

Mirai, the Internet of Things (IoT) botnet that has recently fueled multiple large distributed denial of service (DDoS) attacks, is now targeting the Liberian infrastructure, taking down the Internet for the entire country, researchers warn.

The Mirai botnet made it to the headlines in September, after it was used in a 665 Gbps DDoS attack against Brian Krebs’ blog, along with at least one other botnet. Mirai’s source code was released online in early October, which resulted in the botnet being increasingly used in DDoS attacks, including a massive atttack against Dyn’s DNS infrastructure.

Mirai has already infected devices in 164 countries, which doesn’t come as a surprise, since hundreds of thousands of IoT products were found vulnerable to it, mainly because they use default, easy-to-guess login credentials

With Mirai’s source code available online, anybody can download it and launch attacks, and it seems that this is exactly what is happening right now, although few of the many new Mirai botnets are indeed noteworthy. One of them, security researcher Kevin Beaumont says, is a botnet dubbed #14, which is attacking significantly bigger targets than just Minecraft servers and websites.

One of the large targets this botnet is going after is the infrastructure in the nation of Liberia. The West African country has a single Internet cable, installed in 2011, co-owned by two companies, and serving around 6% of the population.

Because of this setup, there is a single point of failure for Internet access, and the DDoS attacks from the botnet managed to disrupt not only the availability of websites hosted in the country, but also Internet access for users there.

“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” Beaumont notes.

The security researcher calls the botnet “Shadows Kill”, because it is capable of sending messages, as revealed by the Mirai Attacks Twitter account, which delivers real-time reports on monitored attacks. Beaumont also says that the botnet’s operators appear to be merely testing DDoS techniques, while continuing to target Liberia.

Advertisement. Scroll to continue reading.

In an emailed commentary, Thomas Pore, Director of IT and Services for Plixer, told SecurityWeek that, if the botnet is merely testing its capacity by taking down the Internet in Liberia, then attacks against larger countries such as the United States might emerge before the end of the year.

“Weapon testing is defined as experimentation of conceptualization for validity. Historically, weapon testing has been used as a scare tactic to prevent war, but also to correct any design flaws. The recent report of “Botnet #14”, a Mirai botnet, potentially sharping its weapon by issuing large scale volumetric attacks for short durations against Liberia could indicate that it is weapon testing and made an attempt to go unnoticed, because “why Liberia, for only 1 second?”.

It was reported that Liberia was seeing short attacks up to 500 Gbps, and it’s hypothesized that it is the same operator that took Dyn down recently. An attack of that size could definitely take a small country down and perhaps Liberia is just the testing ground for something larger. If Botnet #14 is “weapons testing” with Liberia, it’s possible that the USA will see a massive sustained outage of over 4 hours before the end of the year,” Pore said.

Jeremiah Grossman, Chief of Security Strategy, SentinelOne, also told SecurityWeek that the attacks on Liberia appear to be part of a testing process.

“The DDoS attack on Liberia seems to match earlier predictions about Mirai’s (or its owners’) intentions. Start small, experiment, and continue testing capabilities on increasingly large and more interesting targets: First a blog, then a hosting provider, then a DNS provider, and now a small country.  As for future likely targets, I can imagine other smaller and more notable countries – North Korea, for example – getting their Internet connections ‘stress’ tested. Perhaps even a resurgence of extortion-based DDoS attacks on smaller retailers and other online businesses,” Grossman said.

He also noted that Mirai continues to get stronger, because the vast majority of the IoT-devices owners that make up the botnet have no idea that they are infected and that they should apply patches. Some might not even care, while a manufacturer recall would not have a real impact on the situation, Grossman points out.

“As far as what to do about Mirai, if anyone would ‘strike back’ at the botnet and had the capability to do so, in order to disable it in self-defense, a small country like Liberia that’s under attack would not be at all surprising. And should Liberia, or anyone else do so outside of law enforcement, it would be large precedence,” he concluded.

As Cigital’s Jim Ivers points in a recent SecurityWeek column, the issue of having large numbers of poorly secured devices with computing power connected to the Internet has been theorized before. A rough translation of “Mirai” from Japanese would be “future,” and the botnet has shown what that future could be.

“If Mirai means “future,” then its arrival certainly leads us to ask what the future holds. I foresee lots of experimentation with evolving attacks using IoT devices as new devices are infiltrated. I predict lots of knee-jerk reactions in the form of poorly conceived legislation as the government tries to run in front of the avalanche. I see a call toward sanity, building some basic security hygiene into devices and the testing of associated software,” Ivers says.

Just last week, a newly discovered attack vector against the Lightweight Directory Access Protocol (LDAP) protocol was disclosed, which could result in terabit-scale DDoS attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture