Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry

Enlarge / A cryptocurrency mining farm. (credit: Marco Krohn)

On Friday, Ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon Kafeine wrote:

Read 4 remaining paragraphs | Comments

New, more-powerful IoT botnet infects 3,500 devices in 5 days

There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report.

Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.

Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.

Read 3 remaining paragraphs | Comments

How one rent-a-botnet army of cameras, DVRs caused Internet chaos

Enlarge / We're also mad you're connected to the Internet, toaster et al. (credit: Disney)

Welcome to the Internet of Evil Things. The attack that disrupted much of the Internet on October 21 is still being teased apart by investigators, but evidence thus far points to multiple "botnets" of Internet-connected gadgets being responsible for blocking access to the Domain Name Service (DNS) infrastructure at DNS provider Dyn. Most of these botnets—coordinated armies of compromised devices that sent malicious network traffic to their targets—were controlled by Mirai, a self-spreading malware for Internet of Things (IoT) devices.

But other systems not matching the signature of Mirai were also involved in the coordinated attack on Dyn. "We believe that there might be one or more additional botnets involved in these attacks," Dale Drew, CSO of Level 3 Communications, told Ars. "This could mean that they are 'renting' several different botnets to launch an attack against a specific victim, in which multiple other sites have been impacted."

The motive may have been blackmail, since the attacker sought a payout by Dyn to stop. But Drew warned that the huge disruption caused by the attack "could result in large copycat attacks, and [a] higher [number of] victim payouts [so] as to not be impacted in the same way. It could also be a signal that the bad guy is using multiple botnets in order to better avoid detection since they are not orchestrating the attack from a single botnet source."

Read 28 remaining paragraphs | Comments

Double-dip Internet-of-Things botnet attack felt across the Internet

Our new IoT overlords have arrived. (credit: peyri)

The distributed denial of service attacks against dynamic domain name service provider Dyn this morning have now resurged. The attacks have caused outages at services across the Internet.

But this second wave of attacks appears to be affecting even more providers. According to Dan Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices.

Drew explained the attack in a Periscope briefing this afternoon. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack."

Read 9 remaining paragraphs | Comments