I DDoS-ed the sheriff, but I did not DDoS the deputy
It’s the Wild, Wild West out there when it comes to Distributed Denial of Service attacks(DDoS), and the IoT is not going to peace to the prairies.
Brian Krebs, one of the leading cybercrime reporters, just published an epic takedown of the person behind the Mirai malware. Yes, that Mirai used to launch record-breaking DDoS attacks by creating botnet armies out of insecure IoT devices – not the anime series.
Brian’s uncovering of the bad guys behind Mirai shows quite a few parallels between the Wild West of the distant past and the bad guys’ current efforts to make a buck in the online world. In the Wild West, there was a very thin line between the good and the bad guys. The difference was often just in the timing and the payment terms. The same is true in the DDoS world.
Follow the money and the Minecraft
Brian’s investigation shows the primary suspect behind Mirai was a Paras Jha. Far from being a sophisticated member of an international crime syndicate, he seems to be a technically astute, morally deficient college student who got caught with his hand in an online cookie jar. Jha got his initial online experience and money protecting private servers hosting Minecraft gamers from DDoS attacks. In this process of protecting clients, he also became proficient in launching DDoS attacks against other Minecraft servers, trying to shut them down and add their customers to his own network. This worked as a highly aggressive form of business development – then he and others branched out even more into the booming crime sector of launching DDoS attacks against other business targets.
DDoS-ing the Life of Brian
Launching a DDoS attack may not seem like a big deal – but it is. A successful attack means that the victims incur huge costs as their businesses are knocked offline. They also have substantial costs to defend themselves and beat back the attacks – or they can just make an extortion payment to the hackers. While DDoS attacks have been a steady feature of the corporate world, it still took hackers considerable resources and large bot networks of enslaved computers to pull off a successful assault.
But largely off the radar screen of researchers, a few dedicated hackers had succeeded in finding and enlisting poorly secured IoT devices into their botnet armies. This relative anonymity ended last summer’s series of IoT-powered attacks against Krebsonsecurity.com and the French hosting company OVH. As the Krebs site is a prime source of cybersecurity news, the attack guaranteed huge publicity for the hackers – and was sure to fuel an exhaustive investigation from Brian.
Democratization of badness
Beyond the direct cost, the attack signaled there was a huge army of insecure IoT devices just waiting to be drafted into a zombie army. In addition, many of these devices were bad to the bone, inherently insecure with no upgrade potential. The situation took an odd turn when the base code for Mirai was released by “Anna-Senpai”. This lowered the bar in terms of the cost and technical prowess needed to build and harness an evil botnet and led to a subsequent flurry of copy-cat attacks, perhaps helping the Mirai originators hide their tracks. Secondly, it has drawn attention to the inherent insecurity of many IoT devices that are on the market and installed around the globe. There are now “name-and-shame lists” by security researchers of these IoT devices.
Riding into sunrise
The article on Krebsonsecurity is just the start of the IoT Mirai story – and the potential legal issues for the originators. I recommend reading both the article itself and the glossary of names and terms. As a non-techie geek myself, the story comes down to a single sobering equation:
Script kiddies + insecure IoT devices = problems galore
Think about this before you plug in your new toy.