Cyber-criminals have used Mirai as a framework on which to build improved IoT malware with new capabilities in the years since it broke, according to a new report from Netscout Arbor.
The DDoS mitigation expert claimed that Mirai was nothing short of revolutionary when it first appeared in 2016, helping to launch some of the biggest attacks ever recorded.
These include one against DNS provider Dyn which took some of the biggest names on the internet offline by harnessing the power of botnets of compromised consumer-grade IoT devices like DVRs and CCTV cameras.
Realizing the Mirai authors were onto a good thing, others have followed, with the emergence of several new variants including Satori, JenX, OMG and Wicked.
While Mirai originally worked by scanning for devices secured only by factory default log-ins, Satori makes the code even more effective by adding remote-code injection exploits.
JenX removed various features from the Mirai code and instead relies on external tools for scanning and exploitation.
OMG goes further still by adding HTTP and SOCKS proxy capabilities.
“With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device,” said Netscout. “Including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device.”
Finally, the most recent discovery, dubbed Wicked, replaces the credential scanning of Mirai with RCE vulnerability scanning, specifically in Netgear routers and CCTV-DVR devices.
“Within the RCE exploit, Wicked would include instructions to download and execute a copy of the Owari bot,” the security firm continued. “Often, the scanning and exploitation of devices can be automated, resulting in any susceptible devices becoming part of the botnet.”
The continued popularity of Mira-like malware makes prompt patching from users/IT admins and DDoS mitigation strategies essential, said Netscout.
A senator has claimed to have made public new evidence that shows foreign hackers and spies are targeting US citizens via their mobile devices.
Ron Wyden demanded action from the FCC and phone companies after a letter sent to him from the Department of Homeland Security (DHS) revealed the use of controversial 'stingray' technology near the White House, and attempts to exploit SS7 vulnerabilities.
Also known as IMSI-catchers, stingray tech typically mimics mobile phone base towers, allowing individuals to locate specific devices and intercept communications from them.
It’s a controversial surveillance tool which police and FBI agents have run into trouble using in the past, because it cannot be targeted enough to focus on specific devices and ends up catching data on innocent users.
Yet now the DHS has revealed that “anomalous activity” like that of an IMSI catcher was observed within the National Capitol Region (NCR), including in locations near sensitive facilities like the White House.
“The news of a possible foreign stingray near the White House is of particular concern giving reports that the President isn’t even using a secure phone to protect his calls,” said Wyden in a statement. “The cavalier attitude toward our national security appears to be coming from the top down. It is high time for the FCC and this administration to act immediately to protect American national security.”
According to the DHS, law enforcement and counter-intelligence operatives investigated this activity and determined that “some signals” emanated from real cell towers, but that doesn’t explain all activity.
The DHS also claimed to have received reports from third-parties of unauthorized use of IMSI-catcher tech, as well as exploitation of SS7 vulnerabilities to “target the communications of American citizens.”
The 40-year-old network signalling protocol has been known to contain serious vulnerabilities for years.
“I’ve spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked, or scammed,” said Wyden. “This letter is yet more evidence that these threats are absolutely real and they are already attacking Americans.”
UK bank TSB’s problems just got even worse after it emerged that letters sent to some customers following a major IT incident contained sensitive information on other users.
The high street lender has apologized for the privacy leak, which could fall foul of the GDPR.
Some letters sent out to explain the recent IT snafu reportedly contained a second page with a reference number, name and address of a different customer.
“If I was in any way shady, I could contact them and say that I was from TSB and perhaps trick them into discussing things,” one TSB customer told the BBC. “I have no confidence in TSB at all of controlling their usage of my data and keeping it safe and secure."
In fact, there has been a huge rise in phishing attempts targeting customers of the lender over recent weeks, as fraudsters look to trick users into clicking on links in texts and emails
A TSB spokesperson acknowledged the privacy error.
“We are working with our third-party supplier to understand the root cause of the error and we'd like to apologize to anyone that may be impacted,” they added.
The original IT problems affected millions of customers, with some reporting that they were able to access the bank accounts of other online users.
It was originally intended that the bank would transfer its underlying IT systems from an old Lloyds Bank platform to a new state-of-the-art in-house IT set-up.
TSB isn’t the only financial institution to have suffered a major IT incident recently. Over the weekend, Visa customers across Europe were hit by a “hardware failure” at the card giant which led to widespread problems using cards.
Around five hours after the initial reports the firm said systems were almost back to normal.