Mirai hack

TalkTalk and Post Office broadband routers disabled by Mirai malware: what are the lessons?

Editor, IFSEC Global

Author Bio ▼

Adam Bannister was Editor of IFSEC Global from 2014 through to November 2019. Adam is also a former Managing Editor at Dynamis Online Media Group.
December 2, 2016

Sign up to free email newsletters

Download

Whitepaper: Boosting efficiency and streamlining security with an integrated access control solution

Thousands of broadband customers have lost internet access after TalkTalk and Post Office routers were breached by hackers.

The coordinated attack, which began on Sunday, the latest in a spate of hacks involving the Mirai worm malware, which is spread via hijacked computers and damages equipment powered by Linux-based operating systems. The broadband providers are yet to identify a culprit.

The Post Office says about 100,000 of its customers are affected. Routers from Germany’s Deutsche Telekom were also hacked, with 900,000 customers affected.

A selection of cyber security experts delivered their verdict on the latest high profile hack.stephen-gates

No longer can service providers continue to operate their vulnerable networks in this fashion

Stephen Gates, chief research intelligence analyst, NSFOCUS

The upsurge of commercial, industrial, and municipal IoT-based attacks and outages was part of my predictions for 2017. It appears the world will not wait for January 1 and the weaponisation of these technologies has arrived – ahead of schedule.

No longer can service providers continue to operate their vulnerable networks in this fashion. Hackers apparently have them in their cross hairs, and the damage they can cause to their scantily secured infrastructures will continue to be a major pain in the backside for their customers, who are now likely looking for other options.

Simply put, organisations are not good at preparing for what they do not know about

Mike Ahmadi, global director, critical systems security, Synopsys

Massively scalable attacks are the current trend in cyber security, and this should raise concern among all users and organisations. We have multiple issue to deal with here.

One is the fact that most product vendors and organisations deploying the products remain unaware of the level of mike-ahmadivulnerabilities in their systems. The other issue is for those that are aware, strategies to mitigate against large, scalable attacks are either rudimentary or non-existent.

Simply put, organisations are not good at preparing for what they do not know about. The amount of risk out there is staggering, but there are ways for stakeholders to raise their awareness and come up with more effective, proactive strategies.gavin-millard-tenable-security

Any device that requires an inbound connection from the internet should have a strong, non-default password

Gavin Millard, EMEA Technical Director, Tenable Network Security

With the battle for control of poorly configured IoT devices and routers being played out by multiple cybercriminal gangs at the moment, having default credentials on any device connected to the internet has a high probability of ending up with some derivative of Mirai installed.

Any device that requires an inbound connection from the internet should have a strong, non default password rather than one of the list Mirai is currently targeting.

If you do have something with default credentials, reboot it and change the passwords immediately.adam-brown-synopsys

Modern routers with 1+GHz CPUs make a great platform for a Botnet army

Adam Brown, manager, security solutions, Synopsys

Now that the source code for Mirai is out there this will most likely not be the last that we will see if this type of attack.

Modern routers with 1+GHz CPU’s make a great platform for a Botnet army and being located at the end of a high speed broadband connection make a great base for executing a DDoS attack.

This outage may just be the first symptom of these infections. Suppliers of hardware like this must ensure they govern their supply chain.

alex-mathews

Countless customers often have the same vulnerable equipment, making it easy to build an army of infected devices

Alex Mathews, EMEA technical manager, Positive Technologies

The emerging trend to hack and abuse routers and other everyday devices has caused a raft of internet blackouts recently. The issue lies with the sheer scale of the problem, as countless customers often have the same vulnerable equipment, making it easy to build an army of infected devices.

Combine this with the fact that the malware required is now freely available online, and cybercriminals have an easy way to collect hordes of zombie devices for a variety of nefarious means.

It’s hard to say without specifics of the attack, but prevent-ability depends on the type of vulnerability used. If it is similar to Mirai, abusing default router passwords, it is a relatively straightforward fix.

However, if this was caused by an unknown vulnerability in the router firmware or communication protocols, then it is a far more complex issue. Testing should be done by device manufacturers before they are released onto the market.

andy-green-senior-technical-specialist-at-varonis

You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders

Andy Green, senior technical specialist, Varonis

The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness.

Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour?

Not much!

Unfortunately, default-itis still plagues large organisations. As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, ‘admin1234’.

This is exactly the technique used in the Mirai botnet attack against the IoT cameras.

Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.

For those organisations who think that the Mirai botnet incident has nothing to do with them, or have to convince their board of this, here are two points to consider.

1. The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside.

2. Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience — thinking that users will change the passwords later — will always be an issue for organisations.

You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders.

In a way, we should be thankful for the ‘script kiddies’ who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.

lisa-baergen-apr-mcc

Organisations that have been victimised by a breach can find themselves getting targeted over and over

Lisa Baergen, director, NuData Security

The unfortunate reality is that organisations that have been victimised by a breach can find themselves getting targeted over and over as cybercriminals seek to exploit previous known weaknesses or test systems to find new vulnerabilities.

Secure your place at IFSEC International 2022

17-19 May 2022, ExCeL London

Reconnect in-person with the physical security community at IFSEC International 2022. You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and integrated software solutions. Plus, network with thousands of peers and likeminded professionals, as the industry comes back together at IFSEC for the first time since 2019.

IFSEC 2022: The #1 reunion event for the security industry

IFSECInternational_register please

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Topics:
0