Smart camera manufacturer recall: Mirai IoT malware attack
Do you remember that day in 2016 when both Netflix and Twitter went down? That October, millions of IoT devices infected with Mirai malware became part of a coordinated cyber attack. The malicious code, which went public that year, scans the web for devices with vulnerable ports to infect and add to a botnet. Below, I will detail how Mirai affected Hangzhou Xiongmai Technologies (HXT) and how Firedome could have mitigated this kind of attack. Even though HXT was not the target, they nevertheless had to recall 4.3 million(!) cameras due to the attack, causing a colossal loss to their bottom line.
The first attack occurred on October 21, 2016
The target of the Mirai attack was Domain Naming Service (DNS) Dyn Inc., servicing sites like Twitter and Netflix. During the weeks prior to the attack, hackers infected millions of IoT devices, including HXT cameras, thereby forming a botnet.
A botnet is a group of commonly infected devices that can be commanded to act in unison for behaviors such as Distributed Denial of Service (DDoS) attacks, data theft, spam, and disabling or bricking the devices en masse. In this case, the hackers used the devices for a massive DDoS attack in order to cause DYN servers to crash, resulting in very expensive downtime for websites like Twitter and Netflix.
Going back to the case of HXT, the problem was not that they were the target that the hackers wanted to attack, but rather that they had many vulnerable devices ripe for infecting. HXT cameras were vulnerable due to default credentials that were easily guessed by Mirai. Despite patching the issue in September 2015 with a password change prompt at installation, millions of already deployed cameras remained online with older, vulnerable firmware.
Ultimately, even though HXT was not the company hackers wanted to damage most, the fact that their devices were vulnerable led to devastating consequences. Once security firm Flashpoint revealed to the media that HXT devices were among the most infected, HXT was pressured to recall all 4.3 million cameras in the US and update millions more, diverting their R&D resources to fix the issue and release new firmware.
“Security vulnerabilities are a common problem for mankind,” the company claimed in a public statement responding to the attack and confirming the recall decision. “All industry leaders will experience them.” Beyond just the resources and expense needed to execute the recall, HXT also needed to divert R&D resources from new launches to strengthening password functions and releasing patches for existing stock.
Mirai: how the malware works and has evolved over time
Now let’s take a closer look at what Mirai malware actually does to devices from a technical perspective.
The original version of Mirai was designed to infect a range of IoT devices (with architectures like x86, ARM, MIPS) by scanning for public IP addresses with open 23 and 2323 ports . These ports are mostly used by Telnet, an old unsecured protocol. If a device is listening in on these ports, Mirai will try to brute-force its login info using commonly known default user and password pairs (based on known vendor defaults). If successful, it then downloads and installs the Mirai malware payload to the device using a shellcode. The device then becomes a new bot – part of the botnet – and gains complete control over the device.
With the leak of the source code, hackers have found new ways to upgrade it to better evade detection and penetrate harder to access systems. The malware has adopted significantly, gaining new exploitation capabilities which include a new propagation phase (exploiting vulnerabilities of other IoT devices). This phase involves scanning for them on the same network (LAN) and trying to infect them too.
New variants of Mirai-based IoT malware are discovered almost every day. For example, this latest Mirai variant called AirDropBot was discovered in September 2019 by security researcher 0xrb. In the same week (October 1), a new variant called GUCCI was discovered as well. Although the malware itself – including its infrastructure and the attackers behind it – were different, the modus-operandi of these variants used common hacking techniques in their cyber kill-chain steps.
Learning from HXT: unique cyber risks for IoT manufacturers
An important lesson for IoT device manufacturers from HXT’s recall is that they are uniquely vulnerable in today’s increasingly lucrative environment for cybercrime. Whether hackers intend to damage the device maker itself or just use their devices to attack others, the exposure is disastrous on all levels:
Four categories of risk for IoT device manufacturers
- A hacker bricks a manufacturer’s entire device base
- Hacker is paid off by a competitor
- Hacker wants revenge for a bad customer experience
- Hacker wants notoriety for taking down a well-known brand
- A hacker disables devices so they are temporarily inoperable / taken hostage
- Hacker demands ransom
- A hacker infects or exploits specific targeted device(s)
- Hacker steals IP: A device with access to major company’s trade secrets on it
- Hacker steals PII: A consumer’s device that ends up being covered in the media
- A hacker infects devices to use in a botnet
- Bad PR: The media exposes the fact that the specific brand’s devices are not secure (like HXT’s recall experience)
The scary part is, while HXT was a victim to only a lower-risk scenario than the one described above, they still had to recall 4.3 million devices! They were fortunate enough that the recalled devices could be updated and resold and were not bricked by the hackers. Don’t let your company become the victim or collateral damage of the next attack. Invest now in a proactive cyber-security solution for both known and unknown, evolving threats.
Conclusion: making sure your devices are protected against existing and future variants of Mirai is key
Firedome’s solution can stop attack vectors which recent Mirai strains like GUCCI use in the different steps of the infection.
At the reconnaissance phase, the Firedome agent will detect the port scans that these kinds of variants conduct. It will also detect and block brute force attempts of services with login prompts.
Whether the exploitation phase involves known or unknown (zero-day) exploits, Firedome’s smart execution engine will be able to detect and mitigate the threat.
Even if Mirai is installed and running, Firedome’s agent will detect the network traffic communication (DNS/TCP/UDP- domains/IP addresses) used by Mirai’s Command & Control servers and block its communication within the device, thus rendering the infection useless. It also detects and shares insight on the Firedome UI about such new attempted network connections by the malware. This allows the AI / SOC to act on the infected device itself or across the fleet, by creating a security alert for malicious activities.
Firedome’s machine learning can also detect large scale attacks targeting specific manufacturers, respond to them and block them on the entire fleet automatically before they can spread to other devices.
This blog post was co-written with Shaked Ilan and Dor Alt.
Prior to his VP Security & Research position at Firedome, Shaked was CIO & Co-Founder of the Yin Yang Cyber. He served 7 years in the Cyber Intelligence Division unit of the Israeli Prime Minister’s Office, in research, development and management positions. Shaked is a hacker at heart with 10 years of experience in penetration testing and security-oriented R&D.
Prior to his Security Researcher role at Firedome, Dor held R&D and network engineering positions at various confidential offensive cyber-security companies. Dor has 10 years of experience in various roles in the cyber security domain.