Hackers turn IoT devices into massive botnet with Lizard Squad code

LizardStresser code fuels DDoS attacks on banks and gaming firms

Hackers are turning Internet of Things (IoT) devices into DDoS botnets that take down banks, gaming firms and government agencies.

Cyber criminals are adapting the open source code LizardStresser, written by Lizard Squad, to enlist connected devices that can carry out their attacks, security researchers believe.

Lizard Squad was effectively disbanded in 2015 following the conviction of several members after attacks on popular networks and sites like PlayStation Network, Xbox Live and the servers for MMO game Destiny during 2014.

The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks, the security division of Netscout.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: "LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal reseach into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets."

He added: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions."

The problem of the "smart dumb devices" used in the IoT is well known - these endpoints come with little security protection, run on a familiar operating system (Linux), often have no bandwidth restrictions or filtering when connected to the internet, and have default passwords that are often not changed by the owners and are shared across multiple different devices.

As Bing pointed out, this makes them "ideal DDoS bots".

The re-use of default passwords across device classes is particularly attractive to threat actors. "Simply recompiling LizardStresser code to use these well-known, but under-utilised (by attackers at least) default passwords opens up an entire new group of potential victims," he said.

Arbor Networks has been tracking two LizardStresser C2s that have been used to attack several targets in Brazil, including two large banks and two government agencies, as well as three large gaming firms based in the USA.

Advertisement - Article continues below

The organisation was able to track one attack, discovering that the overwhelming majority of the attack sources - i.e. the bots in the botnet - came from Vietnam, followed by Brazil, and then endpoints randomly scattered across the world.

What united 90 per cent of the bots, though, was that they were linked to NETSurveillance WEB, which, according to Bing, "appears to be generic code used by a variety of Internet-accessible webcams".

"A default password for the root user is available online, and telnet is enabled by default. We believe the threat actors customised the LizardStresser brute-force code to use this published, but under-utilised default password for IoT devices based on the NETSurveillance code," Bing said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020