How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet
As many predicted, hackers are starting to use your Internet of Things to launch cyberattacks.
Image: EFF Photos/Flickr
Last week, hackers forced a well-known security journalist to take down his site after hitting him for more than two days with an unprecedented flood of traffic.
That cyberattack was powered by something the internet had never seen before: an army made of more than one million hacked Internet of Things devices.
The hackers, whose identity is still unknown at this point, used not one, but two networks—commonly referred to as "botnets" in hacking lingo—made of around 980,000 and 500,000 hacked devices, mostly internet-connected cameras, according to Level 3 Communications, one of the world's largest internet backbone providers. The attackers used all those cameras and other unsecured online devices to connect to the journalists' website, pummeling the site with requests in an attempt to make it collapse.
These botnets were allegedly behind the staggering and crippling distributed denial of service attack (DDoS) to KrebsOnSecurity.com, the website of the independent journalist Brian Krebs, who has a long history of exposing DDoS-wielding cybercriminals. The digital assault surpassed 660 Gbps of traffic, making it one of the largest recorded in history in terms of volume.
Level 3 has been tracking one of the botnets used against Krebs for about a month, and last week the company saw that hackers used that botnet, along with another smaller one, against Krebs.
"They're still using it against Krebs," Dale Drew, chief security officer at Level 3 Communications, told Motherboard on Wednesday. "As of this morning."
Security researchers and internet defenders are still looking into the attacks and trying to track who's behind them, but people who've been working to protect websites against large denial of service (DDoS) attacks such as this one all agree this was was unprecedented both because of its shocking size and because of the use of what could be called a Botnet of Things.
"This was the biggest attack we've ever seen," Martin McKeay, the senior security advocate for Akamai, the company that was providing protection to Krebs when the attack started last week, told me.
At this point, however, it's unclear if the attackers used the full power of the two botnets or just a portion of it. Drew said that the hackers used around 1.2 million nodes of the total 1.5 million-strong botnets against Krebs. But McKeay, who declined to go into the details of the attacks citing company policies toward customers, said that "nothing" Akamai saw suggests those numbers are "possible." (Akamai, which was providing Krebs with pro-bono protection, decided to let him go when it became too costly to hold off the barrage of traffic.)
"This was the biggest attack we've ever seen."
The attack against Krebs, along with other similar attacks launched across the internet in the last few weeks, might signal the beginning of a new era where criminals use easily hackable Internet of Things devices to censor websites or launch malware attacks—a nightmare scenario that some saw as inevitable.
"We're starting to see the first consequences of these poorly secured devices and the damage they can do when they are compromised," said Matthew Prince, the founder of Cloudflare, a company that offers DDoS protection. "I don't know that many other organizations have seen the full capabilities of this botnet pointed at them. But of course it's inevitable. Whenever the attack on Krebs is over, anyone else on the internet is vulnerable to having this type of attack pointed at them."
The DDoS attack on Krebs was unusual not just because of the sheer size and volume, but because most of the traffic used in was direct. In last few years, hackers have launched large DDoS attacks by tricking faulty servers into boosting their malicious traffic. In these attacks, the servers generate multiple response packet for each packet sent in. They are known as amplification or reflection attacks and essentially give hackers more firepower than they actually have.
In this case, however, whoever is behind the attack really had all that firepower.
"The attackers were not just sending garbage traffic that was easy to tell it didn't belong there," Prince said, "but they were sending relatively legitimate requests."
HOW THE INTERNET OF THINGS ZOMBIE ARMY WAS FORMED
According to Level 3, the larger botnet used against Krebs is made mostly of internet-connected security cameras made by DAHUA Technology, a Chinese manufacturer, with a subsidiary in California, of cameras and DVRs. Level 3 had already revealed the existence of the 1 million-strong botnet in late August.
Drew explained that the hackers found a vulnerability, which affects most of DAHUA's cameras, that allows anyone to take full control of the devices' underlying Linux operating system just by typing a random username with too many characters.
The hackers then planted malware on the devices to turn them into bots and use them for both DDoS attacks as well as for extortion campaigns using ransomware., Drew said. The malware targets specifically Linux devices and is part of a family that previously went by the names Lizkebab, BASHLITE, Torlus and gafgyt, according to Level 3 and others who have been investigating the attacks.
"These cameras are going to be exposed for quite some time."
The hackers used the latest iteration of that malware family, now called Mirai, according to Marshal Webb, the chief technology officer of BackConnect, an anti-DDoS firm.
Mirai appears to be spreading fast. A security researcher put online six virtual machines designed to look like ADSL routers running Linux operating systems just like the ones targeted by Mirai—in other words, a set of honeypots.
It took only an average of 15 minutes for these to get hit with Mirai malware, the researcher, who asked to be referred to as "Jack B." to protect his real identity, told me in an online chat. (If you didn't just say "holy shit," you probably should have.)
DAHUA did not respond to a request for comment. But Drew said that the company has been notified of the vulnerability and is working on a fix. The problem, he said, is that there's no way for DAHUA to remotely fix the flaw, and customers' will have to download new firmware and update the cameras themselves.
"These cameras are going to be exposed for quite some time," Drew said.
The botnet is not just made of DAHUA devices though. Researchers I spoke to also listed other embedded devices such as home routers, and Linux servers.
The very nature of this kind of attack, whose bogus traffic comes from several sources, makes it hard to pinpoint and unmask who's really behind the keyboard.
In the last few weeks, whoever is behind the attack on Krebs appears to have used the same botnet or botnets in similar attacks against other targets, such as the official site of the Rio Olympics, which was hit with a DDoS clocking in at 540 Gbps, according to Arbor Networks.
That attack used a form of traffic designed to look like Generic Routing Encapsulation (GRE) data packets, an unusual choice of protocol for a DDoS attack. The hackers behind the Krebs attack, as the journalist himself reported, also used GRE traffic.
Also last week, French hosting provider OVH quietly reported of a series of large DDoS attacks, some recording as much as 900 Gbps and 1 Tbps.
OVH declined to comment, and at this point, it's unclear if the attacks on Krebs and OVH are connected.
Some circumstantial evidence seems to point in the direction of groups like Lizard Squad and PoodleCorp, who've made a name for themselves using DDoS attacks to disrupt mostly gaming platforms and websites in the past,
Mirai, the malware allegedly used to build the massive million-strong botnet, for one, is a successor of IoT-infecting malware used by Lizard Squad in the past. But anyone could be using the malware's new iterations.
But the hacker said he was only one of many attackers.
"I'm not the only one who doesn't like [Krebs] or his site," BannedOffline told me in an online chat. "No one likes him lol. At least in the hacker community."
A hacker who goes by the name Cripthepoodle, and who claimed to be once part of PoodleCorp, said the group was behind the attack.
"They love causing as much as chaos as they can," Cripthepoodle told me.
Last week, when Krebs disclosed that his site was temporarily shutting down, PoodleCorp seemed to poke fun at him in a now-deleted tweet send by its semi-official Twitter account. Of course, this is most likely a jab at Krebs, who regularly reports and exposes hacktivist groups.
Whoever is behind these attacks, in any case, is likely being hunted not just by researchers, but also law enforcement. (The FBI declined to comment on whether the bureau is investigating these attacks.)
The attack on Krebs' website was so powerful, according to Prince and Level 3, that it congested some internet routes, spilling over the effects of the DDoS to some parts of the internet. While this might not have been noticed by people watching Netflix or checking their email, it was certainly noticed by internet service providers and likely the authorities.
"When you launch an attack which is large enough that it starts to impact internet infrastructure, it's not long before you get caught," Prince said.
Even if the hackers behind the attacks get caught, these massive DDoS attacks wielding infected Internet of Things could just be the first in a long series, as other criminals will see them as an inspiration.
"I'm certain that there are other smart 15-year-old kids rounding up botnets of CCTV cameras that they can compromise and control," Prince said.
Or, as Akamai's McKeay put it, this is "a bad sign for the internet."
Correction: a previous version of this article stated that DAHUA is an American company. In fact, it is a Chinese company, with a subsidiary in the US.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.