Mirai... Moriya, or Mirage?
Jonathan Goetsch, "The 2nd-Line CDM CyberSecurity Guy"
Patented Comparative HashID Analytics Delivers Never-Before-Seen CDM Cybersecurity Platform, to You!
Does anyone remember the national DDOS outage of October 2016? Well, some would say that it's likely to return, others say it's already happened. Today's Cyber-Eye Report discusses: Cyber-Espionage Campaign Operation Tunnelsnake Utilizes Highly Evasive Rootkit "Moriya" ?Below is the article we posed five years ago; today's links are right on top...
Kaspersky has published a table of known IOC hashes. Links lead to the Kasperky site with hashes in various formats:
48307C22A930A2215F7601C78240A5EE
Moriya Agent
A2C4EE84E3A95C8731CA795F53F900D5
Moriya 64-bit Driver
5F0F1B0A033587DBCD955EDB1CDC24A4
IISSpy
C1159FE3193E8B5206006B4C9AFBFE62
ProcessKiller
DA627AFEE096CDE0B680D39BD5081C41
ProcessKiller Driver – 32-bit
07CF58ABD6CE92D96CFC5ABC5F6CBC9A
ProcessKiller Driver – 64-bit
9A8F39EBCC580AA56D6DDAF5804EAE61
pv.tmp (Custom PSExec Server)
39C361ABB74F9A338EA42A083E6C7DF8
pc.tmp (Custom PsExec Client)
DE3FB65461EE8A68A3C7D490CDAC296D
tran.tmp (Exfiltration tool)
EAC0E57A22936D4C777AA121F799FEE6
client.exe (Utility embedded in tran.tmp)
D745174F5B0EB41D9F764B22A5ECD357
rasauto.dll (Bouncer Loader)
595E43CDF0EDCAA31525D7AAD87B7BE4
8.tmp (HTTP )Scanner
9D75B50727A8E732DB0ADE7E270A7395
ep.tmp DCOM Scanner
3A4E1F3F7E1BAAB8B02F3A8EE20F98C9
nw.tmp Bouncer Loader
47F2D06713DAD556F535E523B777C682
Termite
45A5D9053BC90ED657FA90DE0B775E8F
Earthworm
The true story behind the October 20th massive DDOS attack on the IoT
It was a Test and a Distraction, just as planned.
Yes, the latest DDOS attack was a test. It was a test of capabilities, wits and the weaponization of malware. It was a test in America’s ability to respond and deal with this ever growing threat, a reality which is sure to be us for a very long time. US ProTech has spent years in the field of Cyber and related war-games. This use of targeted IP based devices was in one manor simple but also why it was successful. This attack, while seemingly massive, is nothing short of a distraction where you get to see what one hand is doing...while the other hand magically hides another quarter behind a child’s ear. Imagine the chaos this attack created. Now imagine how it was likely used to hide its real purpose and how it would be delivering its true pay-load. US ProTech and the Cyber community will quickly be searching for clues… and will likely find all the usual suspects. Other firms such as Flashpoint traced Friday’s widespread internet outage to the IoT, according to another industry expert, Brian Krebs.
Consequently, the cyberattacks which affected popular websites from Twitter to Reddit are the result of malware called “Mirai”, which manipulated smart technology to take the sites offline. The malware used vulnerable technology to launch a Distributed Denial of Service attack, overwhelming the web service DYN with traffic resulting in slow Internet speeds and offline sites. You’re going to ask questions so here are 5 things you need to know about ‘Mirai’:
1. IoT Botnet ‘Mirai’ Targets Vulnerable ‘Smart’ IoT Technology and Turns Them into ‘Bots’
Like a parasite, ‘Mirai’ will use a host to launch cyberattacks. The botnet scans the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, according to Kreb’s blog KrebsOnSecurity. Botnets can exploit weak security measures such as standard password and username combination (eg admin, 1111) across devices. These systems are infected with malware, which directs them to a central control system, where they are prepared to launch an attack to take websites offline. Here is a list of the services that were down.
According to HackRead, ‘Mirai’ can break into a wide range of IoT devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots’. There are nearly half a million Mirai-powered bots worldwide, according to telecommunications company and internet service provider (ISP) Level 3 Communications. Here are the countries with the highest concentrations of IoT devices:
- United States: 29 percent
- Brazil: 23 percent
- Colombia: 8 percent
2. ‘Mirai’ Took Out Amazon, Spotify, Twitter and More Websites in a DDOS Attack
The morning of October 21 saw widespread internet outages caused by a massive DDOS attack, which overwhelmed the web service with traffic. Krebs reported that cybersecurity firm Flashpoint traced the hack to Mirai. The journalist’s own website, krebsonsecurity.com, was taken down by Mirai-powered DDOS attack. The cyberattack on Friday targeted Internet traffic company DYN, which provides services for websites like Amazon, Spotify and Twitter. Other botnets may have been behind the attack reports Politico’s cybersecurity reporter Eric Geller.
In an interview with CNBC, DYN said that the attacks were “well planned and executed, coming from tens of millions IP addresses at same time.” The Department of Homeland Security and White House are also looking into the attack. NBC News reports that one official ruled out North Korea as a suspect.
3. ‘Mirai’s Author Has an Avi of Anime Character Anna Nishikinomiya and Mirai Means “Future” in Japanese
The person who created the botnet is nicknamed ‘Anna-Senpai’ and has an avi of the anime figure Anna Nishikinomiya. Anna appears in the Japanese novel series Shimoseka, which is set in a dystopian future filled with morality police.
As the student council president of a prominent ‘morality school’ Anna is the enforcer of public morality laws according to MyAnimeList. The word ‘Mirai’ also has Japanese origins meaning ‘future’ in Japanese. A manga series called ‘Future Diary’ also describes a dystopian society modeled after the battle royale (think Hunger Games) where each contestant has a diary with notes written from the future.
‘Mirai’ is also part of a family of malware that infects IoT devices through default usernames and passwords. The other malware that has been used to create an IoT device army is called “Bashlight”. While these two strains of malware compete with each other, research from Level 3 suggests that they target some of the same devices. Currently, “Bashlight” is creating an army of a million IoT devices.
“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer told KrebsOnSecurity.
4. You Can Wipe Off the Malware from an IoT System but Recurrence is Likely
It’s possible to clean an IoT system infected by ‘Mirai’, but the botnet scans systems so often that there’s a high chance of recurrence. You can destroy the malicious code by rebooting the computer, but experts warn that vulnerable IoT devices can be re-infected in minutes.
This is bad news for cybersecurity as the IoT devices market heats up as people buy into the smart, automated systems. Gartner Inc. projects connected devices to rise to 6.4 billion worldwide in 2016 with almost 5.5 million devices being connected daily.
Telecommunications company Level 3 advised users to upgrade devices and set strong passwords, according to the Wall Street Journal. For a more sustainable solution to DDOS attacks, Krebs says ISPs will need to protect their networks from spoofing, where the attacker sends messages as the victim website and generates a huge amount of traffic. He added that the lack of these safeguards could lead to online censorship.
5. Source Code for ‘Mirai’ Botnet was Released Publicly Which Opens the Door for Future Botnet Attacks
After weathering an attack from the ‘Mirai’ botnet, KrebsOnSecurity reported that the code that powers ‘Mirai’ was made publicly available on HackForums. The hacking community has access to information they can use to infect millions of smart devices. The source code for the scanner is also located on Github and has been copied at least 700 times as of this posting.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
Special thanks to Edward Cox of Heavy and assistance in the compilation of data.
US ProTech offers clients Certified Technical Security Engineers with a wide background of specialization including experts from every branch of the United States military. Their vulnerability assessment process has been independently evaluated, tested and has received U.S. Government (USGCB) Configuration Baseline validation by the U.S. Dept. of Commerce; it exceeds N.I.S.T. High-Impact (military-grade) Baseline standards and is SCAP Approved.
As a result of it US Government Approved process, US ProTech offers a broad range of award winning cyber-security assessment and management services and today holds significant contracts throughout America, Canada, Mexico and Western Europe. “We maintain a focus on clients who seek demonstrable cyber-security and business process improvement”, says Goetsch “We have saved our clients hundreds of millions of dollars in Cyber-Liabilities and do so with an expert staff and a proprietary set of tools.”