Posted on July 27, 2019 at 9:42 AM

400k IoT Devices Hijacked and Used Against a Streaming App

According to recent reports, a new major hacking attack hit an online streaming app by using a massive botnet. The attack was reported by security researchers from Imperva, who claims that a few months ago, hackers utilized a massive botnet, containing over 400,000 IoT devices.

The attack supposedly took place between March and April of this year, and it targeted an online streaming app. Further, the botnet was so massive that it produced over 292,000 information requests each minute, according to the report.

DDoS attacks growing in number and strength

This is not the first time that an attack like this was performed, and researchers have found numerous similarities between this particular network and its DDoS attack and the Mirai botnet, which started causing chaos back in 2016. Both botnets were found to be using the same open ports, researchers claim.

One of the researchers who worked on the report, Vitaly Simonovich, stated that it was the largest Layer 7 DDoS attack that Imperva has ever seen. This, by itself, speaks volumes regarding the attack’s severity and size.

Of course, such attacks could easily target pretty much any online company. Not only that, but considering the popularity of DDoS attacks among online criminals, researchers believe that it is a matter of when they are going to hit, and not if they might arrive. The attacks are also clearly growing in size, and Simonovich says that companies need to take them seriously, and prepare proper defenses.

He stated that even those who do already have a DDoS protection solution must check to ensure that it can handle attacks of this size. After all, attackers continue to improve their capabilities, not only by building larger botnets but also by increasing the sophistication of their attacks. Mitigation solutions work, but they must scale as well, in order to serve as proper defenses.

Details about the attack

This particular attack lasted for as long as 13 days, without pause. However, Imperva managed to prevent the attack from overwhelming the firm. Its customer did not experience any downtime, which is certainly something that the company should be proud of. However, after 13 days, the attack simply stopped — seemingly without reason.

As mentioned, this form of DDoS attack is known as a Layer 7 attack or application-layer attack. This is due to the fact that it targets the firm’s web services. Also, this was not the first time that one of Imperva’s clients was hit by a botnet. Another similar case occurred back in 2017. Back then, the target was said to be a college in the US, and it was under attack from the Mirai botnet for around 54 hours.

The attack was long and severe, with 30,000 information requests per second. When the attack finally ended, it was estimated that the college endured 2.8 billion requests, in total.

As for the new attack, researchers are still not sure whether the attack used the Mirai malware itself, or some alternative. It is also unclear whether the attackers wanted to try a credential-stuffing attack, or a simple brute force attack.

What is known is that most of the infected devices that made up the botnet were IoT devices and that a large portion is located in Brazil. Further, it was reported that attackers used the same user agent as the firm’s app, which basically allowed them to target the authentication component. At the same time, the attack was masked so that the network could not decide whether the arriving traffic was malicious or legitimate.

This approach could allow hackers to overwhelm the network before the network even discovers that it is under attack. Another unusual detail is that attackers targeted the app. Most of the time, attacks are at the network level, but this time, one of the largest ones ever seen targeted an application.

Simonovich commented on this as well, stating that botnets are generally used for coordinated attacks, DDoS being an obvious example. They can also be used for brute force attacks, credential stuffing, and alike. The more computers the botnet infects and adds to its network — the stronger it becomes.

So, if the attackers’ goal was to crash a web service, the obvious step is to target the application layer and try to crash the database server or the webserver. The fact that the Internet of Things devices were used is also not that surprising, considering that most of them were not created with high security in mind. Multiple reports from earlier this year claimed that over 2 million of IoT devices were vulnerable, including things such as cameras, smart doorbells, baby monitors, and more.

Hackers are moving to IoT botnets

As stated before, attacks utilizing botnets are still on the rise, despite the fact that Mirai creators were heavily prosecuted. After the first Mirai attacks took place in 2016, and the malware source code went public — anyone was capable of creating their own copy, and modifying it further.

Back in March, another company — Palo Alto Networks — found another version of the malware, this time with as many as 11 new exploits. They were all designed to target IoT devices. The company’s researchers also reported a number of newly-discovered flaws in software used by some of the major firms, including LG and Barco. These particular firms were then targeted so that the attackers could gain a greater bandwidth, and launch a wider attack with greater force.

Unfortunately, researchers do not see the end to IoT-related devices. The sector is continuously growing and becoming more popular than ever. Meanwhile, its security remains just as flawed as ever, while the hackers are getting more capable and clever. With that in mind, many predict that IoT devices will become the main components of future botnets.