Integrators - Any Client Concerns About Mirai?

Just had my first enterprise customer asked about the Mirai botnet attacks and whether they need to change the products they are looking at purchasing. We don't sell low cost products (well, not very often) and secure our networks thoroughly if any portion is exposed online. It made for an easy question to answer. Anyone else getting any questions?


We issued a stop-ship on all Dahua products until a reasonable resolution is produced. We've been asked to take down our "Stop-Ship" notice because it's hurting installer's business... People would rather ignore it it seems...

However, we feel it is our duty to keep "Security" in CCTV Security... so we're going to continue to do the right thing.

Too bad you are undisclosed!!! You are credit to distributors.

I don't understand, are they still shipping product that is vulnerable to Mirai?

They aren't.

Weve had some questions and we have also issued a statement to all clients with best practices and informing of some of the details of Mirai. WE are going out and redoing several things on our systems and anyone with a sewrvice agreement is getting taken care of immediately and proactively. WE are pushing them a way from open ports if possible and of course updating firmware and scheduling reboots.

We have been concerned. Remember, the vulnerability is not from port forwarding, but with client computers that are on the same subnet or can route to the subnet where your iot devices are located. All it takes is a "click this link" from an unsuspecting user. You can update firmware, but the problem is still there with a potential future update from the hacker for additional vulnerabilities. Of course default passwords are susceptible, but so are devices with reported back door credentials publicized and open telnet ports.

We are seeing some suspicious outages and problems currently that are a concern. Most involve Axis products 0-5 years old. A report in July outlining the backdoor security vulnerability would be too tempting for the active hacker with an infection on the inside and device gateway and dns access to the outside. There are quite a few devices, other than Dahua, on the vulnerable reports.

Dont sleep on this and think it is based on direct port forwarding or dmz access to the devices themselves. Come up with a documented plan for your company to notify customers and address this. Many devices may be already infected without your knowledge. Monitor your firewall logs for peculiar activity. Look at camera logs for access by other sources than the vms server.

Remember, the vulnerability is not from port forwarding, but with client computers that are on the same subnet or can route to the subnet where your iot devices are located. All it takes is a "click this link" from an unsuspecting user...

Jeff, where are you getting this from? I'm not aware of mirai spreading thru PC based attachment vectors.

Indeed the bots scan the open Internet for public IPs with open telnet ports using SYN discovery and then proceed to brute the login with the password list.

These cases very much depend on port-forwarding being in-place.

One more thing, now that my blood pressure is rising. It is known that there are concerns from manufacturers such as acti, samsung, toshiba, axis, iqeye, videoiq, dahua, mobotix, and vivotek. Perhaps the dahua vulnerability was only an isolated test of the capabilities. Cmon, a dns factory in Manchester NH. If these or other manufacturers know about potential vulnerabilities, what better place to post a "how to check" than IPVM. I bet they are holding their breathes like the bankers were in 2008. Hikvision is the only company that made a visit to our office and provided a webinar related to cybersecurity, and actually discussed all of their security vulnerabilities the last couple of years and their errors that caused them, as well as the corrections that were made.

Man up, manufacturers. The crisis is not over.

From what I have researched, so far, the Mirai botnet also affects user PCs, mainly through user actions (links, attachements, etc). Once this occurs, the PC will scan its accessible network for IoT devices (cameras, thermostats, etc) on its "hit" list. I am not a hacker, but I assume that once the computer is infected, with a malware application that embeds this or maybe other such botnets, future updates or commands can be uploaded. To disbelieve this or even the chance that this could and does occur is negligent on our part. Hackers are some of the brightest programmers on the planet and they are looking for any "back door" to vulnerable devices, that they can. I can not believe that all of the hundreds of thousands of infected devices are assigned public addresses or are configured on NAT routers as DMZ. I have installed thousands of IP cameras, and have never seen an instance or request where I would do a complete DMZ port forward (which includes telnet). Still, if this does occur, that device will spread into the LAN to all other devices.

-------------------

The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. It can invade the PC silently and steal all information such as username, IP address, login details, credit card number, debit card number, PIN number, phone number and more for illegal purpose. Your computer acts very slow as well as Internet speed. The Mirai malware continuously scans all Internet for vulnerable IoT devices, to the purpose of infected and used in botnet attacks. It has ability to uses 62 common default usernames and passwords in order to scan for vulnerable devices. Because many IoT devices are not secured for this rubbish. It also allows the bot to access hundreds of thousands of devices. The creator of Mirai Botnet claimed around 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website. Its features are segmented command-and-control, that is allows the botnet to launch simultaneous DDoS attacks. So, it is very important to get rid of Mirai Botnet from the PC as soon as possible.

From what I have researched, so far, the Mirai botnet also affects user PCs

Can you post some links or references that support this? From everything I have read about Mirai, it does not infect or utilize PCs in any way.

This is a link to the information included in the second part of his post. Its on several malware cleaning sites, so obviously in their best interests to use mirai to scare people into buying their product.

But looking at the source code, there is no evidence it works this way.

The page looks auto-generated to get SEO results. It appears that you can substitute "Mirai" for whatever the threat-du-jour is and rack up some Google search rankings to get people to download their scanner.

From what I have seen, Mirai downloads pre-compiled binaries that run the botnet software, these look like they are compiled for various linux platforms, I do not recall seeing one pre-compiled to run on Intel/Windows, but maybe there is a newer binary out there now.

From what I have researched, so far, the Mirai botnet also affects user PCs...

Only those PC's running a telnet server with default camera user/pass credentials and port 23 forwarded. Which I suspect is pretty few.

Once this occurs, the PC will scan its accessible network for IoT devices (cameras, thermostats, etc) on its "hit" list.

Actually, if you look at the Mirai source code, IP addresses to scan are chosen at random, and the software excludes certain IP addresses and ranges associated with internal networks (192.168.0.0 for example), certain companies (Hewlett Packard, GE), the US Postal Service, and the Department of Defense.

The following portion of Mirai code creates a random IP to scan, excluding certain ranges:

Brian,

There have been reports of threat actors already modifying the code of Mirai. Do you believe it is not possible that one of these botnets can not be integrated with infected pcs to act as a satellite command and control to distribute? If I was a hacker, scanning and infecting from the inside would be the cats meow with this, as probably 99.99 percent of vulnerable devices reside there, without upnp, dmz, or direct internet access.

I like to think it the what will/can happen, not what is/was, and it is logical it is/will. I am just reacting right now in the "may".

Also, I see that sierra already reports vulnerability on their routers. How many comcast/time warner modems/routers are at risk, also. Most I have seen include the manufacturers default credentials. There are many millions of these out there, of various brands, most will default credentials.

I'm sure that plenty of people have speculated about what could be done with Mirai, but I have not seen any specific instances of it infecting PCs, or PCs being used to scan internal LANs. This is why I asked you for links/references because they why you phrased it I thought you had come across some specific examples of it having been done, and not just theories.

I agree that scanning from the inside of a LAN could turn up more IoT devices that have ability to connect OUT to send traffic, but are not reachable directly from the internet. But so far I have not heard of that happening.

You are correct that devices with telnet open and a path to get out to the internet pose a threat of future exploitation and should be patched accordingly. Even if the admin password is changed, it is still possible to run a dictionary attack and find the password, which is why telnet needs to be disabled on these devices, not just use different passwords or adjust firewall rules.

I like to think it the what will/can happen, not what is/was, and it is logical it is/will. I am just reacting right now in the "may".

Really, Jeff? These statements are just flat wrong, regardless of how you are reacting.

Remember, the vulnerability is not from port forwarding, but with client computers that are on the same subnet or can route to the subnet where your iot devices are located. All it takes is a "click this link" from an unsuspecting user...

Dont sleep on this and think it is based on direct port forwarding or dmz access to the devices themselves.

(in a rat infested basement on the outskirts of Moscow).

"Comrades, when you are finished with your LOL games, I have a task for you. You know all those American computers we control, you know, the ones with the 3 year expired Norton 90 day trial software. Clever how we put the "free lifetime Krispy Kreme donuts" link in the Longse spam mail. I just got off the phone with Comrade Donald. He would like me to upload that magical code I have been modifying the last week, ASAP, and set it to deploy next Monday night, with a botnet activation time for DNS disruption of Tuesday 0800 hours".

I had a client bring it up today. It was the head of the IT dept. He was talking about locking down the firewall some more just to be sure. I told him his greatest threat was from his internal network. They have a guest wireless network that could be a way in. We have sold them some Dahua OEM cameras that have upgraded firmwares and complex passwords, so the risk is minimal. They also tightly monitor all traffic thru the firewall, in both directions. He has several honeypots and SMB shares with fake files that he monitors for access. Lots of automated scripts that can close down switches or individual ports as threats are detected.