A variant of the Mirai IoT botnet was identified in distributed denial-of-service attacks on financial services firms earlier this year, according to new research.
Recorded Future Inc., a security company specializing in machine-based threat intelligence, identified an IoT botnet targeting a customer's network. Similar activity observed at two other financial services companies led researchers to suspect an evolution in the Mirai variant based on the IoT devices used in a coordinated DDoS attack. According to Recorded Future's research, the botnet used off-the-shelf vulnerabilities to infect a broader array of devices with malware.
The Mirai IoT botnet first appeared in 2016; it used a network of wireless routers, security cameras and digital video recorders to cripple the Krebs on Security, OVH and Dyn websites with DDoS attacks, with attack volumes approaching terabit levels. The source code was released in October of that year, creating fears of more damage from Mirai-variant attacks.
"We have seen a lot of variants of that specific piece of malware -- malware that infects IoT devices and pulls them into a botnet. What we haven't seen since then is those botnets used in DDoS attacks," said Priscilla Moriuchi, director of strategic threat development at Recorded Future.
"This attack in January, to our knowledge anyway, is the first time a large IoT botnet based on Mirai was used to target the financial sector," she added.
Recorded Future has been able to identify seven IP addresses used by the controllers for the IoT botnet, which has been "relatively rare for the botnet," according to Moriuchi, who also pointed to third-party metadata and open source intelligence that have helped the company track IP geolocations, service banners using Shodan -- a search engine for internet-connected devices -- and other metadata. The threat intelligence company declined to comment on the unnamed global financial institutions, but said it had not interacted with victims outside of its customer.
In October, Israeli cybersecurity company Check Point Software Technologies Ltd. sounded the alarm on the compiling of a huge IoT botnet worldwide using malware that the researchers called "IoTroop" (also named "Reaper" by NetLab 360). According to Check Point researchers, an estimated 1 million organizations had been scanned and may have been infected, outpacing the Mirai IoT botnet. The malware exploited vulnerabilities in wireless IP camera devices from a variety of manufacturers including Avtech, D-Link, GoAhead, Linksys, MikroTik, Netgear and Synology, among others. At the time, researchers indicated that infected devices likely spread the malicious code through multiple security vulnerabilities in similar devices, a faster method than the 2016 Mirai botnet, which primarily used hardcoded and default passwords.
"If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks," stated the researchers in the report, "Mirai-Variant IoT Botnet Used to Target Financial Sector in January 2018," whose lead author is Moriuchi.
Financial institutions worldwide access cyberthreat notifications and other resources through the nonprofit Financial Services Information Sharing and Analysis Center (FS-ISAC).
"FS-ISAC members are well aware of the use of internet of things devices for DDoS botnets," said a FS-ISAC spokesperson, who called it "relatively old news."
"Mirai and its related botnets are known to have targeted the finance sector in the past, and FS-ISAC works to coordinate information-sharing between members for best practices on how to mitigate such events." Targeting also does not mean compromise and financial institutions have layered defense strategies.
"Our bottom line is not that victims couldn't handle these attacks," Moriuchi said. "What we wanted to get out is that these botnets are evolving over time and, in this particular case, it appears that vulnerabilities are being added on a regular basis to the existing malware to create a more diverse, more capable botnet in the future."