NBC News reports: Andrew Komarov of InfoArmor told NBC News he didn’t see any sign of Russian involvement at all, whether state or private [in the “denial of service,” or DDoS, attacks that caused massive internet outages across the U.S. on Friday]. He noted that the botnet used in the attack, “Mirai,” was developed by an English speaker and that he had found no link between “Mirai” and the Russians, who have their own much more sophisticated methods.
He said the attacks seemed more consistent with the methods used by the hacking group known as Lizard Squad, two of whose members, both teens, were arrested earlier this month in the U.S. and the Netherlands and charged in connection with DDoS attacks.
Said Komarov, “We have some context, that because of similar victims, using Dyn, and also tactics, tools and procedures by threat actors, it may be a revenge for the past arrests of DDoS’ers in the underground, happened several weeks ago.”
Dmitri Alperovitch of Crowdstrike also expressed doubt about a link to the Russian government, and speculated the attacks might have to do with a recent interview that cybersecurity expert Brian Krebs did with Dyn mentioning Russian organized crime. Alperovitch said use of a botnet bears the hallmark of a criminal rather than state attack, and the target may simply have been Dyn, not the U.S.
Flashpoint, a private cybersecurity and intelligence firm, noted that the Krebs site was attacked in September by a Mirai botnet, and the Krebs site was among those attacked Friday. The hacker who attacked Krebs in September released the source code on the web earlier this month, and hackers have copied the code to create their own botnets.
Flashpoint said it had concluded that the Friday attacks were not mounted by hacktivists, a political group or a state actor. [Continue reading…]
TechCrunch reports: In the past few weeks, hackers have upped the DDoS stakes in a big way. Starting with the attack on KrebsonSecurity.com and increasing in severity from there, hundreds of thousands of devices have been used to perpetrate these actions. A number that dwarfs previous attacks by orders of magnitude.
While it isn’t yet confirmed, evidence points to the attack that we saw on Friday morning following this same playbook, but being perpetrated on a much larger scale, relying on Internet of Things (IoT) devices rather than computers and servers to carry out an attack.
In fact, in all likelihood an army of surveillance cameras attacked Dyn. Why surveillance cameras? Because many of the security cameras used in homes and business around the world typically run the same or similar firmware produced by just a few companies.
This firmware is now known to contain a vulnerability that can easily be exploited, allowing the devices to have their sights trained on targets like Dyn. What’s more, many still operate with default credentials — making them a simple, but powerful target for hackers.
Why is this significant? The ability to enslave these video cameras has made it easier and far cheaper to create botnets at a scale that the world has never seen before. If someone wants to launch a DDoS attack, they no longer have to purchase a botnet—they can create their own using a program that was dumped on the internet just a few weeks ago. [Continue reading…]
The New York Times reports: Dale Drew, chief security officer at Level 3, an internet service provider, found evidence that roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn’s servers. Just one week ago, Level 3 found that 493,000 devices had been infected with Mirai malware, nearly double the number infected last month.
Mr. Allen added that Dyn was collaborating with law enforcement and other internet service providers to deal with the attacks.
In a recent report, Verisign, a registrar for many internet sites that has a unique perspective into this type of attack activity, reported a 75 percent increase in such attacks from April through June of this year, compared with the same period last year.
The attacks were not only more frequent, they were bigger and more sophisticated. The typical attack more than doubled in size. What is more, the attackers were simultaneously using different methods to attack the company’s servers, making them harder to stop.
The most frequent targets were businesses that provide internet infrastructure services like Dyn. [Continue reading…]
Brian Krebs reports: The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG). Madory’s talk — available here on Youtube.com — delved deeper into research that he and I teamed up on to produce the data behind the story DDoS Mitigation Firm Has History of Hijacks.
That story (as well as one published earlier this week, Spreading the DDoS Disease and Selling the Cure) examined the sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet has ever seen. Indeed, the record 620 Gbps DDoS against KrebsOnSecurity.com came just hours after I published the story on which Madory and I collaborated.
The record-sized attack that hit my site last month was quickly superseded by a DDoS against OVH, a French hosting firm that reported being targeted by a DDoS that was roughly twice the size of the assault on KrebsOnSecurity. As I noted in The Democratization of Censorship — the first story published after bringing my site back up under the protection of Google’s Project Shield — DDoS mitigation firms simply did not count on the size of these attacks increasing so quickly overnight, and are now scrambling to secure far greater capacity to handle much larger attacks concurrently. [Continue reading…]