Hackers turn IoT devices into massive botnet with Lizard Squad code

LizardStresser code fuels DDoS attacks on banks and gaming firms

Hackers are turning Internet of Things (IoT) devices into DDoS botnets that take down banks, gaming firms and government agencies.

Cyber criminals are adapting the open source code LizardStresser, written by Lizard Squad, to enlist connected devices that can carry out their attacks, security researchers believe.

Lizard Squad was effectively disbanded in 2015 following the conviction of several members after attacks on popular networks and sites like PlayStation Network, Xbox Live and the servers for MMO game Destiny during 2014.

Advertisement - Article continues below

The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks, the security division of Netscout.

In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: "LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets."

He added: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions."

Advertisement
Advertisement - Article continues below

The problem of the "smart dumb devices" used in the IoT is well known - these endpoints come with little security protection, run on a familiar operating system (Linux), often have no bandwidth restrictions or filtering when connected to the internet, and have default passwords that are often not changed by the owners and are shared across multiple different devices.

Advertisement - Article continues below

As Bing pointed out, this makes them "ideal DDoS bots".

The re-use of default passwords across device classes is particularly attractive to threat actors. "Simply recompiling LizardStresser code to use these well-known, but under-utilised (by attackers at least) default passwords opens up an entire new group of potential victims," he said.

Arbor Networks has been tracking two LizardStresser C2s that have been used to attack several targets in Brazil, including two large banks and two government agencies, as well as three large gaming firms based in the USA.

The organisation was able to track one attack, discovering that the overwhelming majority of the attack sources - i.e. the bots in the botnet - came from Vietnam, followed by Brazil, and then endpoints randomly scattered across the world.

What united 90 per cent of the bots, though, was that they were linked to NETSurveillance WEB, which, according to Bing, "appears to be generic code used by a variety of Internet-accessible webcams".

"A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code," Bing said.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement

Recommended

Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020
Visit/security/phishing/356211/phishing-attacks-target-unsuspecting-wells-fargo-customers
phishing

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020
Visit/security/hacking/356210/trump-administration-wants-to-enhance-the-security-of-gov-sites
hacking

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020