Just a quick update here folks but it seems the same Mirai Botnet attack is surfacing in Germany and hit more than 900,000 Routers from Telekom last night and today, targeting what we suspect Busybox linux type IoT / devices that in this case were routers. Here is a sample of that code for you to analyze. In this attack the same or similar signatures and what seems like the C&C server use exploits that are enabled on certain routers using port 7547. Although this is not a DDOS it is a typical life cycle of Mirai in that it Scans, Infects and then uses the newly infected devices to wreak havoc like DDOS or stop things from working in a not so cool way.
If we want to get a feeling for how but this is we start scanning for port 7547 and create a query in Shodan. Below we have a simple shodan search for the port7547. This doesn’t mean that all those found devices are vulnerable but thats quite a basis on which to scan and possibly infect additional clients to include into the next DDOS arsenal of whoever is really behind these attacks. To put this in perspective some POCs of DDOS’ing with 140,000 infected clients resulted in more that 1,2tbs attacks and this is real, it was shown before.
And when we look closer at Germany we find this:
We all need to rethink IoT and the linux versions we use for all kinds of devices that are connected to the internet. This means that we are all in for a very interesting new days and months. Its time we address the issues with IoT because from where I am standing, its 2 minutes to midnight…..
Thats it for now, when we know more we will let you know..
Your 1D10t (confirmed Security Noob)
(Copyright HDN 2016 All Rights Reserved)
Additional research and initial exploits found here: https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-router-vulnerability/