No-one responsible for computer security should forget what happened in October 2016. The Mirai botnet launched an attack on the internet, the scale of which had never been seen before. By unleashing a massive distributed denial-of-service (DDoS) attack on DNS service company Dyn, Mirai managed to knock out significant chunks of the internet - making it impossible for most users to reach popular sites such as Amazon, Reddit, Netflix, Twitter, Soundcloud, Spotify, Etsy and Github. All too often we hear about how online criminals are able to hide their tracks online, and escape prosecution. Well, for once we have some good news. US authorities have unsealed details of a guilty plea by 21-year-old Paras Jha from Fanwood, New Jersey, who has admitted creating the Mirai botnet by commandeering hundreds of thousands of vulnerable IoT devices, without the knowledge or permission of their owners, in order to:
- launch powerful DDoS attacks
- rent the botnet to third-parties in exchange for payment
- use the botnet to extort protection money from companies not wishing to be targeted by an attack.
Jha and his co-conspirators used both known and previously undisclosed vulnerabilities to gain admin rights to victims' IoT devices, and ended up with an army of close to 500,000 compromised CCTV cameras, DVRs, and routers at their beck and call. As BBC News reports, Jha has yet to be sentenced, but faces up to 10 years in jail. Two of Jha's co-conspirators have also pleaded guilty - Josiah White, from Washington, Pennsylvania, and Dalton Norman from Metairie, Louisiana. Both could receive sentences of up to five years in prison. Security blogger Brian Krebs explains that Jha and White co-founded a company called of Protraf Solutions LLC, a company that initially provided anti-DDoS services to Minecraft servers. In order to drum up business, Jha and White started targeting websites with DDoS attacks "and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks." Meanwhile, Norman used Mirai's network of compromised devices to perpetrate click fraud, sending large amounts of internet traffic to websites in order to generate fraudulent affiliate advertising revenue. More details of the fascinating case can be found in Krebs's article, which includes links to plea agreements made by the three men. It's worth bearing in mind that just because three men have pleaded guilty, Mirai's legacy is far from over. Mirai's source code was released onto the internet in October 2016, putting the ability in anybody's hands to create their own copy-cat version of the botnet or use it as a blueprint for their own creations. Sadly, as a result, we have seen more and more Mirai-related botnet activity - including variants that have attempted to mine Bitcoins, or exploited zero-day vulnerabilities to hijack hundreds of thousands of IP cameras. Internet-enabled devices are increasingly being exploited with all too much regularity, and the consequences are serious. It's no wonder that last year the Department of Homeland Security issued a warning, advising users and system administrators of some of the steps they should take to harden their IoT security:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
