• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

The Future is Here – Assaulting the Internet with Mirai

Author avatar of Artsiom HolubArtsiom Holub
Updated — July 24, 2020 • 4 minute read
View blog >

As we begin our journey into 2017, many of us will take the opportunity to look back on how 2016 went. This time of year is conducive to self-reflection and introspection, learning from the past to prepare for the future. Though there were many incidents over the course of the past twelve months, none captured my attention as much as the Mirai botnet. Adaptable, difficult to detect, and enormously disruptive, I believe Mirai to be the first in a series of new threats which will impact the world on a scale that was previously unimaginable.

Cried Out In Unison – Biggest DDoS of 2016

Mirai first came into the media’s attention around September when researcher Brian Krebs was targeted by a historically large DDoS attack. In his debrief with Akamai, it was noted that rather than relying on DNS amplification to achieve such traffic, it seemed to have come from many different sources. This suggested that a enormous number of devices were compromised, and soon enough the world started to hear and read the word “Mirai”. This enterprising botnet took advantage of the insecurity of internet-connected smart devices like cameras, printers, DVRs. By using a brute force attack and trying commonly used administrative passwords, Mirai took over millions of devices all around the world. This translated into more available bandwidth for attackers to use and overwhelm servers.
Analyzing data coming from a honeypot built similarly to those designed by arm5077 and robertdavidgraham, we were able to gather 111,783 connections in a period of just 30 days. After removing the duplicates, we were left with 8,578 unique IPs to work with.

Mirai geolocated IP addresses

Based on served HTTP banners and Shodan data we identified:

  • 2,861 surveillance cameras
  • 759 DVR players
  • 1,088 routers
  • 76 firewall devices

The results help to clarify Mirai’s significant difference from classic botnets — its choice of targets. We can see that rather than attacking home computers, its victims were internet connected devices which have long been under the scrutiny of security researchers, and that choice made it incredibly successful. By striking at things that were both insecure and extremely popular, the botnet was able to gain ground quickly. With unprecedented DDoS power, attackers were able to go after huge targets: after Krebs, French host OVH was attacked, then Dyn, then the country of Liberia, and most recently Deutsche Telekom. In the span of just a few months, vital pieces of the internet’s infrastructure have been assaulted by Mirai, and there’s no reason to believe this will subside in the coming years as more IoT devices make their way into homes everywhere.
Vulnerable devices can be found almost anywhere. Geolocation of captured IP addresses indicates that majority of the infected devices are based in Taiwan (1,152), Vietnam (1,136), China (789), Brazil (650), Turkey (483), Russia (426) and India (408).

Visualization of IP addresses used by Mirai

Mirai’s Future – Predicted Paths

Based on observed combinations of default credentials used by bots, we predict that the next devices which will be targeted by Mirai include:

  • ACTi IP Cameras
  • ANKO Products DVRs
  • Axis IP Cameras
  • Dahua Cameras and DVRs
  • Dreambox TVs
  • HiSilicon Cameras
  • Mobotix Network Cameras
  • Realtek Routers
  • SMC Routers
  • Ubiquiti AirOS Routers
  • VideoIq Systems

When the source code of Mirai was released to hackers, this made it only more attractive for ambitious malicious actors looking to adapt it to their needs. Recently, it has been modified to create domains through a DGA to better avoid detection and keep a constant contact with C&C servers, and it seems likely that changes will be made to start implementing Tor and other traffic obfuscation methods. David Rodriguez recently profiled this new DGA enabled variant in a blog post, and the data he gathered combined with the analysis done by other researchers has revealed Mirai to be a thoroughly interconnected piece of malware, sharing space with ransomware distributors and other assorted awful things on the internet.

Visualization of domains generated by Mirai and cooccurences.

Into the Breach – Next Steps

So where do we go from here? What can be done about Mirai and other IoT botnets that are sure to follow? The largest share of the burden lies with manufacturers who continue to fail to address the issue of using weak security practices with their products. Devices should be sent from the factory with unique credentials instead of collectively sharing an easily guessed login and password combination such as “admin/admin” or “admin/password”. It would also be very helpful to limit access through commonly used ports and protocols like Telnet. IoT devices need to be designed with built-in protections against intrusion and compromise by using unique device passwords and preventing insecure remote logins. Individual users and administrators can help themselves by logging into the devices in their possession and changing weak passwords, as well as implementing port defenses to keep remote communications at bay. Though this might make a dent in reducing the amount of devices that are vulnerable, the most effective place to make this change is at the manufacturer’s level. Further, ISPs and DNS providers need to be aware of the problem and work closely together. The possibility of attacks at this scale must spur changes, both to the underlying architecture of the internet and the companies that deliver it as well as to the methods of response to massive DDoS attacks from the entire internet community. Given that IoT botnets will grow larger as more devices connect to the web, we must change the internet’s ability to handle it and our responses to it.
2017 will prove to be a very interesting year, and rather than simply watching it as it unfold, we must be willing to meet its challenges head on. The future is here, and we must prepare ourselves now.
Thanks to Austin McBride for contributing visualizations.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella