Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

New Mirai Variant Unleashes 54-Hour DDoS Attack

New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College

A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.

New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College

A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.

Mirai was one of the most discussed Internet of Things (IoT) botnets during the second half of last year, after it was used in two large attacks against Brian Krebs’ blog and DNS provider Dyn. In October, the Trojan’s source code leaked online and new variants emerged soon after.

One such version emerged in December when TalkTalk Telecom home routers were being infected via a vulnerability in the network router protocol. Earlier this year, researchers observed a Windows variant of Mirai, though concluded that it was mainly designed to spread the Linux Trojan to more IoT devices.

The new version, Imperva says, is one of the variants that spawned after the source code leaked. Specifically, while previous versions of the malware launched network layer DDoS attacks, the new variant focuses on application layer assaults, the researchers discovered.

On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” Imperva’s Dima Bekerman explains.

The device types used in this attack were already known to be abused by Mirai: CCTV cameras, DVRs and routers. These devices might have been impacted by known vulnerabilities that the botnet exploited via open telnet (23) ports and TR-069 (7547) ports.

Advertisement. Scroll to continue reading.

According to Bekerman, the DDoS bots used in the attack were hiding behind different user-agents compared to the five previously seen hardcoded in the default Mirai version. These details suggest that the new Mirai variant might have been modified to launch more elaborate application layer attacks.

30 user-agent variants were spotted during the attack, Imperva says. Furthermore, the security researchers observed attack traffic originating from 9,793 IPs worldwide, with over 70% of them located in ten countries: United States (18.4%), Israel (11.3%), Taiwan (10.8%), India (8.7%), Turkey (6%), Russia (3.8%), Italy (3.2%), Mexico (3.2%), Colombia (3.0%), and Bulgaria (2.2%).

“Less than a day after the initial assault ended, another one began that lasted for an hour and a half with an average traffic flow of 15,000 RPS. Based on our experience, we expect to see several more bursts before the offender(s) finally give up on their efforts,” Bekerman says.

Related: Mirai for Windows Built by Experienced Bot Herder: Kaspersky

Related: Mirai Switches to Tor Domains to Improve Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.