pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Mirai botnet attacks Liberia as new and improved IoT malware looms

Roundup: Mirai botnet attacks take down Liberia internet, as a new IoT botnet adapts old malware. Plus, the latest on Dirty COW and the WoSign certificate authority controversy.

The small African nation of Liberia was taken offline this week by what appears to be the same Mirai botnet behind last month's internet-of-things botnet attacks on the Dyn DNS service.

Liberia's internet has suffered massive disruptions this week, as powerful distributed denial-of-service (DDoS) attacks have slammed the country's service providers, who share a single internet cable that serves the entire country. Several security experts have pointed the finger at the Mirai botnet; according to Kevin Beaumont, a security architect based in Liverpool, U.K., the Mirai botnet designated as #14 could be controlled by the same threat actor who carried out the Dyn domain name system (DNS)  DDoS attacks last month.

"Over the past week, we've seen continued short-duration attacks on infrastructure in the nation of Liberia," Beaumont wrote. "Transit providers confirm over 500 [Gbps] of traffic is output during attacks. Attacks last a short period. It is the largest of the Mirai botnets, and the domain controlling it predates the attacks on Dyn. The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be owned by the actor which attacked Dyn."

Beaumont added that the implications of the Liberia attack, which he said appears to be another test, are concerning. "The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state," he said.

Linux/IRCTelnet: A new IoT botnet emerges

Meanwhile, a new internet-of-things (IoT) botnet is making the rounds, and it could turn out to be more worrisome than Mirai. Called Linux/IRCTelnet, the latest threat, described in a blog post by the pseudonymous security researcher known as Unixfreaxjp, can execute DDoS attacks using IRC, and it takes control of Linux-based IoT devices using brute-force attacks against the telnet protocol, much like Mirai does.

According to Unixfreaxjp, the composition of the new malware is interesting because it combines components and techniques from other botnet malware. For example, Unixfreaxjp found techniques used in Tsunami/Kaiten and the family of malware that is variously called GayFgt, Torlus, Lizkebab, Bashdoor or Bashlite, as well as examples of using the IoT credentials list hardcoded into Mirai botnet code.

"The botnet is having [a] DoS attack mechanism like UDP flood, TCP flood, along with other series of attack methods, in both IPv4 and IPv6 protocol, with [an] extra IP spoof option in IPv4 or IPv6, too," Unixfreaxjp wrote.

LDAP amplification attack could inflate DNS DDoS

While the Dyn DNS DDoS attacks were observed to be as high as 1.2 Tbps, a new Lightweight Directory Access Protocol (LDAP) amplification attack vector could scale DNS DDoS attacks up to tens of terabits per second, according to Corero Network Security Inc. The Marlborough, Mass., DDoS prevention company reported what it called a significant new zero-day DDoS attack vector that could amplify DDoS attack volumes by as much as 55 times the raw volume initially generated by the attacker.

Corero observed the technique in use for the first time against its customers in late October. The amplification attack depends on LDAP, a widely used protocol for handling user authentication data, particularly as part of Microsoft's Active Directory.

Dave Larson, CTO and COO at Corero, speculated that if this technique were to be combined with other DDoS methods like those used in the recent Mirai IoT botnet attacks, "we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit-scale attacks could soon become a common reality and could significantly impact the availability of the internet -- at least degrading it in certain regions."

In other news

  • The Dirty COW vulnerability in the Linux kernel revealed last month could be a big problem, even for those using Linux inside Docker containers. Paranoid Software's Gabriel Lawrence revealed details of an exploit that can be used to escalate an attacker's privileges inside a Docker container -- and he is able to demonstrate that he has gained root access and can escape the container. "Containers such as Docker won't save us," Lawrence wrote, adding, "I'm particularly interested in demonstrating escaping out of Docker simply because I think many people overestimate what is required. Kernel exploits are rarer than user-space escalations, but they are not without example -- and understanding that even with the separation offered by the kernel features that make containers possible, it's possible to get past them with a kernel exploit."
  • Canonical released Ubuntu Core 16 for the internet of things, which now offers "regular and reliable security updates," to help reduce the effect of serious vulnerabilities in IoT devices. While it won't help mitigate attacks leveraging vulnerabilities against unpatched IoT devices already out in the field, Ubuntu Core could help secure the internet of things as new devices are deployed. The latest version of Ubuntu Core depends on snap packages, which are confined, read-only application images that are signed to the specific device, to deliver applications, as well as updates. Ubuntu Core is a tiny version of the Linux OS intended for use in IoT devices, as well as in container deployments; the OS is already being used in switches, industrial gateways, home gateways, radio access networks, digital signage, robots and drones.
  • Google has joined Mozilla and Apple in taking action against WoSign. "Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom," wrote Andrew Whalley of Chrome Security. "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56." No word from the search giant on when -- or whether -- WoSign and StartCom might be able to regain entry to Google's good graces.
  • Following similar moves by Mozilla, Microsoft and Google, Akamai Technologies announced it will drop support for SHA-1 by the end of this year, according to Erik Nygren, chief architect at the content delivery network provider, based in Cambridge, Mass. "At the end of 2016, handing out SHA-1 will no longer be possible (as this would mean serving an expired or invalid certificate to clients, which may or may not support SHA-256, but would very likely error on any expired certificate)," Nygren wrote in a blog post. "To avoid making the change to our shared certificate on New Year's Eve, we will be shutting off the SHA-1 certificate, and will always hand out an RSA SHA-256 or ECDSA SHA-256 certificate, on or around December 27."

Next Steps

Find out more about how command-and-control servers control malware

Learn about how to respond when your DNS provider is hit by a DDoS attack

Read about how DDoS attacks and attackers are evolving

Dig Deeper on Malware, virus, Trojan and spyware protection and removal