Friday, October 21, 2016

Flashpoint Links Dyn DDoS Attack to Mirai IoT Botnet

Flashpoint confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.

Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH. Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.

However, Flashpoint states that the Mirai botnets used in the October 21, 2016 attack against Dyn were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH.

Flashpoint also notes that the Mirai source code was released earlier this month by the hacker operating the Mirai botnet responsible for the Krebs DDoS attack.