IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers turn IoT devices into massive botnet with Lizard Squad code

LizardStresser code fuels DDoS attacks on banks and gaming firms

Hackers are turning Internet of Things (IoT) devices into DDoS botnets that take down banks, gaming firms and government agencies.

Cyber criminals are adapting the open source code LizardStresser, written by Lizard Squad, to enlist connected devices that can carry out their attacks, security researchers believe.

Lizard Squad was effectively disbanded in 2015 following the conviction of several members after attacks on popular networks and sites like PlayStation Network, Xbox Live and the servers for MMO game Destiny during 2014.

The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks, the security division of Netscout.

In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: "LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets."

He added: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions."

The problem of the "smart dumb devices" used in the IoT is well known - these endpoints come with little security protection, run on a familiar operating system (Linux), often have no bandwidth restrictions or filtering when connected to the internet, and have default passwords that are often not changed by the owners and are shared across multiple different devices.

As Bing pointed out, this makes them "ideal DDoS bots".

The re-use of default passwords across device classes is particularly attractive to threat actors. "Simply recompiling LizardStresser code to use these well-known, but under-utilised (by attackers at least) default passwords opens up an entire new group of potential victims," he said.

Arbor Networks has been tracking two LizardStresser C2s that have been used to attack several targets in Brazil, including two large banks and two government agencies, as well as three large gaming firms based in the USA.

The organisation was able to track one attack, discovering that the overwhelming majority of the attack sources - i.e. the bots in the botnet - came from Vietnam, followed by Brazil, and then endpoints randomly scattered across the world.

What united 90 per cent of the bots, though, was that they were linked to NETSurveillance WEB, which, according to Bing, "appears to be generic code used by a variety of Internet-accessible webcams".

"A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code," Bing said.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022