Hackers turn IoT devices into massive botnet with Lizard Squad code

LizardStresser code fuels DDoS attacks on banks and gaming firms

Hackers are turning Internet of Things (IoT) devices into DDoS botnets that take down banks, gaming firms and government agencies.

Cyber criminals are adapting the open source code LizardStresser, written by Lizard Squad, to enlist connected devices that can carry out their attacks, security researchers believe.

Lizard Squad was effectively disbanded in 2015 following the conviction of several members after attacks on popular networks and sites like PlayStation Network, Xbox Live and the servers for MMO game Destiny during 2014.

The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks, the security division of Netscout.

In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: "LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets."

He added: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions."

The problem of the "smart dumb devices" used in the IoT is well known - these endpoints come with little security protection, run on a familiar operating system (Linux), often have no bandwidth restrictions or filtering when connected to the internet, and have default passwords that are often not changed by the owners and are shared across multiple different devices.

As Bing pointed out, this makes them "ideal DDoS bots".

The re-use of default passwords across device classes is particularly attractive to threat actors. "Simply recompiling LizardStresser code to use these well-known, but under-utilised (by attackers at least) default passwords opens up an entire new group of potential victims," he said.

Arbor Networks has been tracking two LizardStresser C2s that have been used to attack several targets in Brazil, including two large banks and two government agencies, as well as three large gaming firms based in the USA.

The organisation was able to track one attack, discovering that the overwhelming majority of the attack sources - i.e. the bots in the botnet - came from Vietnam, followed by Brazil, and then endpoints randomly scattered across the world.

What united 90 per cent of the bots, though, was that they were linked to NETSurveillance WEB, which, according to Bing, "appears to be generic code used by a variety of Internet-accessible webcams".

"A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code," Bing said.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Phishing attacks surge ahead of Black Friday and Cyber Monday
Security

Phishing attacks surge ahead of Black Friday and Cyber Monday

17 Nov 2020
Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020