Mirai and the IoT

!3v3! 3 - it might get geeky One of the first major DDOS attack using Mirai was against www.krebsonsecurity.com. Brian Krebs 's site was hit with a 620Mbs attack and French Telecom OVH was hit with a staggering 1Tbs attack the follow week. Both were record setting in their volume and the reliance on IoT devices. The DynDNS attacks have not be measured, yet. Mirai, leveraging millions of poorly secured devices and the general public's inability to understand that they might have made these attacks possible by not changing the log/pass pairs of retail devices, makes this a threat that we'll probably see quite a bit more of. Last Friday's (2016-10-20) attack on DynDNS, leveraged mostly devices made with components from Chinese DVR and IP Camera manufacturer XiongMai. XiongMai has threatened lawsuits against many accusers, though I think we'll see those dropped or overturned. Expect to see recalls by XiongMai and others as the list of major corporations effected is not group one would like to anger. The list of downed sites from this latest Mirai botnet is frightening: Airbnb, Amazon.com, Ancestry.com, BBC, Box, Business Insider, CNN, Comcast, CrunchBase, DirecTV, Electronic Arts, Etsy, FiveThirtyEight, Fox News, GitHub, Grubhub, HBO, Heroku, HostGator, iHeartRadio, Imgur, Indiegogo, Mashable, National Hockey League, Netflix, Overstock.com, PayPal, Pinterest, Pixlr, PlayStation Network, Qualtrics, Quora, Reddit, Roblox, Ruby Lane, RuneScape, SaneBox, Seamless, Second Life, Shopify, Slack, SoundCloud, Spotify, Squarespace, Starbucks, Storify, The A.V. Club, The Boston Globe, The Elder Scrolls Online, The Guardian, The New York Times, The Wall Street Journal, Tumblr, Twilio, Twitter, Verizon Communications, Visa, Vox Media, Walgreens, Wikia, Wired, Wix.com, WWE Network, Xbox Live, Yammer, Yelp, Zi Here's a list of some of the cracked log/pass pairs: root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech Another interesting point was that there, in the code, was a list of 'do not attack' IPs, including General Electric, HP, the US Postal Service, and the DOD. It would seem that the author(s) were hoping to limit the scope of the attack, perhaps to not draw too much attention to the attack? It's noteworthy as well, that some of the language used in the code point to the Russian as the creators native language. this.conn.Write([]byte("\033[34;1mпользователь\033[33;3m: \033[0m")) The question that this all leaves us with is, how do we secure retail level devices when people are so apathetic or uneducated about security that 'qwerty', '123456', and 'password' remain on the top 10 of passphrases used? 2016-10-27 MDux