Hackers turn IoT devices into massive botnet with Lizard Squad code

LizardStresser code fuels DDoS attacks on banks and gaming firms

Hackers are turning Internet of Things (IoT) devices into DDoS botnets that take down banks, gaming firms and government agencies.

Cyber criminals are adapting the open source code LizardStresser, written by Lizard Squad, to enlist connected devices that can carry out their attacks, security researchers believe.

Lizard Squad was effectively disbanded in 2015 following the conviction of several members after attacks on popular networks and sites like PlayStation Network, Xbox Live and the servers for MMO game Destiny during 2014.

Advertisement - Article continues below

The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks, the security division of Netscout.

In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: "LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets."

He added: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions."

Advertisement
Advertisement - Article continues below

The problem of the "smart dumb devices" used in the IoT is well known - these endpoints come with little security protection, run on a familiar operating system (Linux), often have no bandwidth restrictions or filtering when connected to the internet, and have default passwords that are often not changed by the owners and are shared across multiple different devices.

Advertisement - Article continues below

As Bing pointed out, this makes them "ideal DDoS bots".

The re-use of default passwords across device classes is particularly attractive to threat actors. "Simply recompiling LizardStresser code to use these well-known, but under-utilised (by attackers at least) default passwords opens up an entire new group of potential victims," he said.

Arbor Networks has been tracking two LizardStresser C2s that have been used to attack several targets in Brazil, including two large banks and two government agencies, as well as three large gaming firms based in the USA.

The organisation was able to track one attack, discovering that the overwhelming majority of the attack sources - i.e. the bots in the botnet - came from Vietnam, followed by Brazil, and then endpoints randomly scattered across the world.

What united 90 per cent of the bots, though, was that they were linked to NETSurveillance WEB, which, according to Bing, "appears to be generic code used by a variety of Internet-accessible webcams".

"A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code," Bing said.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020