I recently published part one in this series, which examined the Mirai botnet attacks of late 2016.
For part two, I’d like to take a closer look at the Amnesia botnet, or what I like to call “a Mirai that wasn’t.” Amnesia is notable because it’s an IoT botnet built using compromised DVRs. These DVRs are compromised using a vulnerability that’s been known and not patched for over a year. And our best estimate is that over a quarter million devices around the world are vulnerable.
The circumstances around Amnesia seem to be ideal for a large-scale IoT attack, especially post-Mirai: a quarter-million systems around the world unpatchable for a vulnerability that gives total control and the malware out there to herd them into a botnet.
And yet there’s been no large scale Amnesia outbreak. Why?
One thing that we can point to with Amnesia is the fact that it’s actually easy to block: the botnet hardcoded its command-and-control (C2) servers information, making it easy to block and render inert. And information about the vulnerability and the lack of a patch has been out there for well over a year.
By widely sharing information about the vulnerability and, later, Amnesia and its C2 servers before there was a crisis, we may have been able to help prevent a crisis.
Ironically, that may also be a reason for the lack of additional Mirai attacks after the source code went public. In other words, with that attack information available, defenders have useful information they can use to protect themselves and their organizations.
This brings us to a key point around how the world of the IoT internet is different from the world of the PC internet: There’s a mature security ecosystem today that makes information sharing a priority and prevention a realistic goal.
In the early days of Code Red or Nimda especially, security was an afterthought and there were no information-sharing channels. But today the channels to share information are many; there are Information Sharing and Analysis Centers for most major industries now. And the Cyber Threat Alliance (of which Palo Alto Networks is one of six founding members along with Check Point, Cisco, Fortinet, McAfee and Symantec) is automating information sharing through its platform which enables data to be shared across all members and protections pushed out to their customers in minutes. And these very channels and their effectiveness make prevention a realistic goal: It is now possible to get information out quickly enough to prevent large-scale attacks from taking hold like in the past.
This isn’t to say that the threat of IoT attacks isn’t real; IoT attacks will happen and some of them will be major, like the Mirai attack. But it doesn’t mean that we can’t look at the past as a clear guide to our future either. It also means that the future around IoT attacks isn’t as bleak as some of us may have feared: We can be cautiously optimistic.
Overall, we can’t stop being vigilant and working to share information and keep prevention in mind as a goal. Part of why today is different than yesterday is because of all the hard work of the past 17 years. While we can recognize the good work we’ve done, we can’t afford to celebrate by stopping. The next 17 years look to be even more complex and important.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.