Mirai Botnet Heatmap Illustrates Vulnerabilities of Stadium Infrastructure

The recent use by the Mirai Botnet of compromised video cameras to launch a DNS-based attack on Dyn, and the subsequent effects on Internet backbone performance has led defenders of critical infrastructure resources to reevaluate protective strategies.  This is just as true for sports-related events that rely on high-availability multi-channel communications as it does for banking and financial resources.

These events have been reported on extensively over the past week by Brian Krebs, Level3, AlienVault, and SecurityAffairs, among others.  The Level3 Threat Research Labs noted:

At any one time, only a handful of network C2 IP addresses were active.  Approximately every two days, a new network C2 IP became active.  This switching behavior is roughly 3-times more rapid than we observed in the gafgyt botnet.  It is likely done in an effort to evade detection.

At the date of publication of the Level3 analysis there were almost 1/2 million compromised Internet of Things (IoT) devices that had been compromised by the Mirai malware and brought under the control of the Botnet Master, presumably through the only TOR node identified in the C2 infrastructure. Many of these IoT devices were compromised video cameras used for surveillance and video cams on computers.

Experts believe that the full power of Mirai has yet to be witnessed, and that the attacks against Dyn only used about “a fifth of the devices infected with malware that drives the botnet.” Simply put, “there is no single silver bullet to fix this… any adversary can harness [these] devices, destroy them, or compromise them. You can send spam, you can send DDoS attacks. You can rent out the botnet, sell the botnet, or do hacktivism.” There are approximately 6.4 billion connected devices currently, and that number is expected to reach 11.4 billion in 2018, presenting an even greater challenge for IT divisions across all sectors.



outagemap_us_october29-2016_11As an example, if we overlay the locations of the NBA Teams over the Internet disruptions as they were documented on Saturday, October 29th we see a clear correlation.

The timing of these attacks could not be worse for major league basketball.  As Javvad Malik of Alien Vault noted:

The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done.

Invincea conducted a lab test on a countermeasure that could be used for OSI Application Layer 7 attacks using the Mirai botnet via HTTP.  However, as they note, the legality of such an approach is questionable, given current U.S. law, and the approach would not have worked on the mid October attacks.

The NBA finals drew the highest rating since 1998 this past year, averaging 19.94 million viewers. We are currently in the NBA season and fans want to be able to access their favorite teams through their mobile devices, iPads, computers, as well as through their televisions. Team management should work together with the League and the Sports-ISAO to form a League-wide approach to addressing this botnet, as well as other threats that could potentially affect the availability of the games to the fans.

One Response to "Mirai Botnet Heatmap Illustrates Vulnerabilities of Stadium Infrastructure"

  1. Sports-Reporter   November 30, 2016 at 11:41 pm

    Since I originally wrote this article I ran across an online detection service for IP addresses that are showing up as part of the Mirai Botnet – Visit: https://amihacked.turris.cz and upload the IP addresses for all of your devices that you suspect might be vulnerable.

    To read more about their analysis of the Telnet service vulnerabilities and the protocols that are being used by the Mirai malware go to: https://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at-least-not-on-smart-devices/

You must be logged in to post a comment Login