Passwords of 515,000 Devices Leaked by DDoS Attacker

For many organizations, their web presence is a crucial part of their ability to generate revenue. Any attack that reduces usability of their website, like a distributed denial of service (DDoS) attack, can have a significant negative impact upon profitability.

DDoS attacks have been evolving, growing more common, more powerful, and cheaper to perform. This has led to the rise of DDoS for hire providers, who sell their services to those wanting to perform attacks but not owning a botnet of their own. One of these providers recently leaked a list of over 500,000 login credentials for compromised devices, dramatically increasing the threat of DDoS attacks for organizations.

The Evolution of DDoS Attacks

DDoS attacks have been around for a long time. They are simple to perform but can have a significant impact on their target. As a result, they are popular for hacktivism and revenge hacking. With ransom DDoS attacks, an attacker can even make money off of their target by getting their victim to pay to have the attack ended.

Over time, DDoS attacks have become easier to perform. Their main requirement is computational resources, which become easier to acquire as more and more devices are connected to the Internet. The growth of cloud computing and the Internet of Things (IoT) has provided cybercriminals with all of the Internet-connected computing power that they need to perform their attacks. As DDoS attacks have become easier to perform, the DDoS landscape has shifted. A cat and mouse game has evolved between cybercriminals and DDoS protection providers as DDoS attackers try to adapt to slip past organizations’ defenses.

The evolution of DDoS has also enabled the existence of ‘DDoS as a service’ providers. For those individuals who lack the technical know-how to perform a DDoS attack, these cybercriminals rent their services for a set period of time, attacking the target of their client’s choice. In order to perform these types of attacks at scale (and possibly for multiple clients in parallel), DDoS attackers need access to massive botnets. To build these botnets, these cybercriminals build lists of compromised devices, including IP addresses and login credentials, that their command and control servers use to control their botnets. While these bot lists are usually closely protected by their owner (since they constitute the cybercriminal’s competitive advantage), this is not always the case.

Lowering the Bar for DDoS Attacks

Performing a DDoS attack requires very little technical know-how. All a DDoS attack requires is the ability to send a large volume of malicious requests from a set of a large number of computers. At a minimum, this could be accomplished with a script that makes a massive number of HTTP requests for a webpage with multiple parallel threads.

However, collecting the devices needed to perform the attack can be more difficult. While a large number of such devices exist, a cybercriminal needs a means of compromising them to run the malicious DDoS code. While this normally requires a little more technical knowledge than performing an attack (or a purchase of malware designed to do it), an operator of a DDoS for hire site has recently made this a lot easier.

One of the main security issues with IoT devices is that they commonly use vendor-supplied default passwords. Taking advantage of these weak passwords is what made the Mirai botnet so successful. A list of 61 sets of login credentials enabled Mirai to compromise 400,000 devices at its peak.

A recent release of over 515,000 thousand passwords for routers and IoT devices has made it possible for other DDoS botnets to follow in Mirari’s footsteps. This bot list would enable someone to modify the Mirai source code (which is publicly available) to connect to and control these devices over the Telnet protocol. Since the list is several months old, some of these devices may have new IP addresses or login credentials. However, some will remain the same, and an organization that has one poorly configured device is likely to have others. While the public release of this list means that it is unlikely that all devices will be incorporated into a single botnet, it seems probable that all devices without changed credentials will be compromised and used for malicious purposes.

Protecting Against the Evolving DDoS Threat Landscape

The leak of over 500,000 device passwords increases the threat of DDoS attacks as less skilled users can exploit the list to build their own botnets. Even if the specific devices are taken offline, the list provides clues regarding organizations that may have poor IoT cybersecurity policies in place.

However, this list represents only a fraction of the compromised devices currently in use as part of cybercriminal-controlled botnets. These botnets are comprised of a mix of IoT devices and cloud computing resources and pose a significant risk to companies’ cybersecurity.

Protecting against the threat of botnet-driven DDoS attacks requires addressing the problem at both ends of the DDoS attack lifecycle. Owners of IoT devices should take steps to protect them against exploitation by isolating them behind firewalls, changing default passwords and installing updates.

However, this will not eliminate the threat of DDoS attacks since cheap cloud services make perfectly functional bots. Organizations should take steps to protect themselves against DDoS attacks by deploying anti-DDoS protections capable of detecting and blocking the latest iterations of the DDoS attack.