• Email: sales@kaizensg.com
  • Tel: +1 (443) 998-9008
22 Dec 2016

IoT – Internet of Trouble? Heightened DDoS Threat Posed by Mirai and Other Botnets

The rise of IoT devices are causing a great deal of problems by generating DDoS attacks that cause havok on the Internet.  Here’s a SANS post on what to do about it.

Systems Affected

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data


Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.


On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1 (link is external)(link is external)] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2(link is external) (link is external)(link is external)] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3 (link is external)(link is external)]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4 (link is external)(link is external)]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5 (link is external)](link is external) Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6(link is external) (link is external)(link is external)] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7 (link is external)(link is external)]


With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

In late November 2016, a new Mirai-derived malware attack actively scanned TCP port 7547 on broadband routers susceptible to a Simple Object Access Protocol (SOAP) vulnerability. [8 (link is external)(link is external)] Affected routers use protocols that leave port 7547 open, which allows for exploitation of the router. These devices can then be remotely used in DDoS attacks. [9, 10 (links are external)(link is external)]


Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.


In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [11 (link is external)].
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[12 (link is external)]
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[13 (link is external)(link is external)]
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.


Share this
16 Aug 2016

Mobile Computing Threats

The latest from ISACA on mobile threats is a an eye opener.  Mobile computing devices (i.e., laptops, tablets and smart phones) can cause serious harm to organizations and to device owners, their friends and families, because mobile devices are far less secure than desktops and laptops. The Verizon 2015 Data Breach Investigations Report tens of millions of mobile devices. And, according to Statista, there will be 4.77 billion mobile phone users in 2017 and 1.15 billion tablets in use in 2016.  As the number of mobile computing devices increases, so do mobile security concerns. There are already many existing and new threats related to mobile devices.

App-based threats include malware, spyware, vulnerable apps, compromised apps and data information leakage due to poor programming practices. The types of app attacks include:

• Disabling or circumventing security settings

• Unlocking or modifying device features

• Apps that were obtained (free or purchased), but contained malicious code

Examples of malware capabilities include:

• Listening to actual phone calls as they happen

• Secretly reading SMS texts, capturing call logs and emails

• Listening to the phone surroundings (device is used as a remote bugging device)

• Viewing the phone’s GPS location

• Forwarding all email correspondence to another inbox

• Remotely controlling all phone functions via SMS

Each day, mobile device attack vectors are continuously undergoing dynamic changes, and it is difficult to represent a complete set of the threats and vulnerabilities. With the development of mobile computing devices that can be carried in a pocket or a duffle bag comes the responsibility to protect those devices and the data within them. Being aware is only the first step in the fight to protect the data.

Share this
13 Aug 2016

Cloud Access Security Brokers (CASB) Overview

Cloud software adoption is rampant in every enterprise.  From slack to yammer, GDrive to Dropbox, your data is spreading all over the cloud.  How do you get control of it all?  Enter CASB.  Circa 2013, this was a booming market.  And we are no where near the rapid growth.  For many enterprises, security and compliance concerns hamper adoption of cloud applications. Furthermore, cloud applications are accessible from anywhere dragging mobile and BYOD security concerns into the picture. Cloud Access Security Brokers are a category of security tools that help enterprises safely enable cloud apps and mobile devices. CASBs work by intermediating or “proxying” traffic between cloud apps and users. Once proxied, these tools provide:

• Visibility—audit logs, security alerts, compliance reports, etc.

• Data Security—access control, data leakage prevention, encryption, etc.

Together, these functions fill in the gaps otherwise encountered when an enterprise moves from internal, premises-based applications to cloud apps like Salesforce, Google Apps, or Office 365. For enterprises in heavily regulated industries, like Finance and Healthcare, use of a CASB might be the only practical approach to enabling cloud apps. More broadly, any organization with sensitive data to protect would be well served by considering this emerging solution category.

Share this
12 Aug 2016

How To Defend Against A DDoS

In the web security arena, everything changes very fast. The threat landscape rapidly evolves. Zero-day attacks are launched on a daily basis, exploiting newly discovered vulnerabilities for which signature are not available yet. Attackers hide their attack vectors, and scraping bots hide their identities behind CDNs and dynamic IPs, avoiding any simple blacklisting technique trying to block them. In such a rapidly evolving battleground, static cloud security services cannot protect you. Static cloud security services utilize negative security models that identify attacks based on the signatures of attack vectors, and block attackers and bots using IP blacklisting mechanisms. Unfortunately, that can’t help you with zero-day or dynamic IP attacks.

Meanwhile, the assets you need to protect are notoriously changing all the time, continuously introducing new vulnerabilities that may be exploited by attackers. With static cloud security services, you have to tell whenever you launch new applications or introduce changes into existing ones, and manually change your security policies accordingly. This manual process quickly gets out of control as developers that use continuous delivery methods launch release new versions on a daily basis. As a result, your protected assets are introduced with new vulnerabilities that static cloud security services cannot detect and mitigate.

So how do you win a game in which the rules keep changing all the time?

It’s simple. All you need to do is to implement a cloud security service that continuously and automatically adapts to the evolving threat landscape and protected assets. You can’t do that with static cloud security services. To make sure you are continuously protected, you’ll need a cloud security service that implements a positive security model, which means it can tell what your legitimate traffic looks like, and then block anything else. This would get you full protection from zero-day attacks, and from attacks using dynamic IP techniques. In addition, a continuously adaptive cloud security would automatically identify new applications that you launch, analyze their potential vulnerabilities, and tailor them an appropriate security policy.

Radware Cloud Security Services are the first continuously adaptive cloud security service. With positive security models and behavioral analysis technology, they provide automatic protection against zero-day attacks. With IP agnostic fingerprinting technology, attackers and bots are blocked even when they try to hide behind CDNs and dynamic IPs. New applications are automatically discovered, and security policies are automatically created for them. This way, Radware Cloud Security services keep you protected… even while the rules of the games keep changing!

Share this
10 Aug 2016

Managing Cloud Risk

Cloud adoption continues to grow at a rapid pace, transforming businesses across the globe.  In fact, cloud is now business as usual for most organizations, with some utilizing it to run business-critical processes. In July 2015, the ISACA® Innovation Insights report one of the leading business trends driving business strategy. It ranked third out of 10 top emerging technologies most likely to deliver significant business value in excess of cost. Big data analytics and mobile technologies ranked first and second, respectively. A separate publication by International Data Corporation (IDC) forecasts worldwide use of public cloud growing at 19.4 percent annually over the next five years, nearly doubling from approximately US $70 billion in 2015 to more than US $141 billion in 2019. This is almost six times the growth of enterprise IT spending as a whole.

When properly planned, implemented and governed, the cloud can be a major catalyst for process improvement as well as a driver of business transformation. Cloud service providers are working relentlessly to improve their security and resilience capabilities. In reality, an organization’s onsite systems may not be more secure than the cloud. Security and reliability risk may not outweigh the lost opportunity to transform an enterprise with strategic use of the cloud. Cloud initiatives built upon enterprise strategy, coupled with robust risk management processes, have the potential to accelerate business innovation, transform customer experiences and improve competitive advantage.

Share this
01 Aug 2016

Ransomware Threat Mitigation

In today’s ruthless and competitive environment, cybersecurity needs to be foolproof, as it only takes a single breach to in ict serious damage to your data and business. But in case of a security breach, we must be able to recover our systems without paying ransom, which ultimately trans- lates into funding cybercriminals, thus making them bolder and highly sophisticated. Below are a number of useful measures that can help mitigate the risk of the ransomware threat:

• Keep up-to- date: Ransomware is a constantly evolving threat. It is important to keep up-to- date with new developments with awareness trainings.

• Impose and enforce strict employee practices:

• Avoid visiting malicious or compromised websites.

• Keep track of browser extensions and plug-ins.

• Don’t click spontaneously on links embedded in 

• Delete spam permanently from your mailbox.

• Beware of phishing sites and traps. If you are not, 
you may instantly expose your client to security 

• Don’t install any unauthorized software.

• Update software vulnerabilities and patches

• Ensure that software and operating systems in your organization are up-to- date with security patches.

• Secure mobile devices: Equip all mobile devices with security solutions and a remote-wipe program. Back up their data routinely. If ransomware locks a mobile device, the remote-wipe program should reset it to an agreed recovery point.

• Employ multilayered defense: Use multilayered secu- rity solutions like end-point, messaging and network protection.

• Onsite and offsite backup: Store, maintain and back up data and configurations regularly.

• Control system encryption: Two senior managers working in tandem should encrypt the whole system. They should also copy the decryption key to a designated, safe, unobtrusive location.

Ransomware is a thriving menace. With growing revenue, ransomware groups can continue to advance their techniques. Security practitioners need to recover their systems without paying ransom. There is no bulletproof solution, but we can certainly cut the veins of ransomware groups and bleed them to death.

Share this

© 2016 Kaizen Solution Group. All rights reserved.

Click Me