The world first became aware of Mirai when it unleashed a trail of havoc by taking down Twitter, Netflix, and Amazon (amongst others) in October 2016. Descriptors from sections of the press ranged from ‘digital nuclear attack’ to ‘zombie apocalypse’.
Since that time, threat actors have indicated that the number of infected devices has risen significantly and it has been implicated with attacks on home routers of customers at Deutsche Telekom, Talk Talk and the Post Office. As bad as this has been, could the worst be yet to come?
Mirai means ‘the future’
The translation of ‘Mirai’ from Japanese is ‘the future’, so it could be that its makers harbor greater ambitions, and the fact that Mirai has been released publicly has substantially lowered the bar for launching large-scale DDoS attacks.
Although a certain level of technical capability is required to install and operate Mirai, it has the potential to act as a force multiplier for a range of actors engaging in DDoS attacks, including hacktivists, extortionists, and politically-inspired actors.
Yet history tells us that not all malware variants developed from published source code are successful, and not all of them will become prominent. A great example of this evolutionary phase occurred in 2015, when the source code for the ‘hidden tear’ ransomware was published online and made available for anyone who cared to use it.
While the code was used in numerous new variants, many contained serious problems, such as ‘Cryptear’ that was discovered in January 2016 and was all but unusable due to the use of an encryption routine which was easily overcome by researchers.
Nuts and bolts are there for new variants
However, published source code does provide access to the nuts and bolts of functioning malware that can be modified or improved to create new variants. When combined with the appropriate resourcing and capability, it has the potential to lead to the emergence of a handful of prominent malware variants.
Take a similar example – the use of the leaked Gozi banking Trojan source code to develop the GozNym banking Trojan. In this instance, developers took the web-inject module of Gozi and combined it with that of the Nymaim Trojan. As of April 2016, GozNym had reportedly resulted in the theft of $4 million.
One of the reasons Mirai is pernicious lies in its capability to create botnets from a range of esoteric devices – for automatic number plate recognition systems, TV set boxes, mobile device modems and home routers. Many of these devices are inherently insecure, difficult to retrofit with adequate security and relatively easily to compromise via research of default manufacturer passwords. This makes Mirai more potent and many criminal groups are well-resourced with the means and motivation to continually develop their ‘product’ and take it to market.
The emergence of ‘crowdfunded extortion’ post Mirai
We are already seeing instances of new business models emerge since Mirai. On November 22, 2016, the US-based web hosting and building service Squarespace was affected by two DDoS attacks that affected customers for over nine hours – taking down many of the small ecommerce shops which depend on its service.
Twitter accounts responded to statements by Squarespace, claiming to be a previously known threat actor called "vimproducts", which has advertised DDoS services on the AlphaBay Dark Web marketplace. These accounts claimed responsibility for the DDoS attacks and attempted to extort Squarespace for up to $2,000 USD. In one post on Pastebin, the author described this as a ‘crowdfunded extortion’.
While there was no evidence of a ransom being paid, the targeting of organizations’ customers is a worrying trend. It’s also not too much of a leap to imagine how this could potentially evolve – for example major gaming networks have been the targets of DDoS many times before. It might be that the players themselves become targets and asked to ‘pay up’ less their game time be interrupted.
Planning ahead in 2017
There are many scenarios that could emerge in 2017 now that criminals are potentially empowered with a powerful new tool which they only just beginning to understand. Organizations should ask how prepared they are to combat the threat from DDoS and Mirai based attacks, and think laterally to consider how their customers could become targets too. How would they would advise them should that become the case?
Of course the threat from Mirai itself could peter out and its variants lack capability. However DDoS itself shows no sign of disappearing as a weapon in the kitbag of both cybercriminals and hacktivists, so it’s important for organizations to get their policies and procedures in place.