An increasing number of threat actors are taking advantage of Lizard Squad’s LizardStresser botnets for targeting IoT gadgets. Their purpose? For later use in a massive distributed denial-of-service (DDoS) attack.
The “DDoS for hire” tool created by the group has allowed cybercriminals to assemble botnet armies, with the most recent successfully launched DDoS attacks against banking, gaming, and government websites.
Botnet systems are based on controllers and compromised systems, such as the Internet of Things that it now enslaves. The so-called zombie army is commanded to flood traffic to online domains with DDoS attacks in order to disrupt their site activities and services.
Lizard Squad’s botnet source code was publicly released in 2015. It sprung from the explicit purpose of empowering cyber-attackers with the chance of building their Lizardstresser framework-based botnets, which ultimately enables DDoS attacks.
In the same year, six teenagers were accused of DDoS cyber-attacks targeting newspapers, online retailers and gaming companies using LizardStresser botnet tool. Back in December 2014, Lizard Squad made use of their tool effectively in their DDoS attack on Microsoft’s Xbox Live as well as Sony’s PS Network where online gaming services were disrupted right at the peak of Christmas.
Written in C and primarily designed for Linux systems, compiling, running, and tweaking the botnet is quite simple. It can be easily achieved for devices with common platforms x86, ARM, and, MIPS architecture.
ASERT group researchers from Arbor Networks security firm has been monitoring botnet activity and discovered that unique LizardStresser C2 sites or command-and-control servers have consistently been increasing in 2016. It just hit the 100 C2 server milestone in June, whereas an underlying concern is the fact that some cybercriminals are targeting IoT.
Compromised IoT Devices
IoT devices include webcams, cameras, surveillance, and lighting systems. Such devices without the option to change hard-code credentials or the user hasn’t changed just yet are at risk of being enslaved by botnets.
Matthew Bing, the research analyst from Arbor Networks, wrote in a company blog post about LizardStresser becoming today’s botnet-du-jour for IoT devices. This device class makes for ideal DDoS bots since they often come with little security protection from their vendors, run on familiar Linux OS, doesn’t really come with bandwidth restrictions, and are built with default passwords owners often overlook changing or feel the need to act on it.
Arbor Networks threat intelligence and response manager, Kirk Soluk, states that webcams are the weapon of choice in cybercriminals’ leveraging of IoT gadgets. The research team unraveled that almost 90 percent of hosts within the slave network had “NETSurveillance WEB” HTML title, which is a generic code of internet-enabled webcams.
A webcam is more vulnerable since people don’t directly interact with it, compared to smartphones, and would almost be barely noticed when incorporated into a botnet. Indeed, smartphones have its own security problems but does not usually run with remote management protocols bearing default login information.
Soluk further tells of LizzardStresser’s straightforward approach of botnets using the telnet brute-forcing method. In its login attempts, it typically pings random IPs with a hardcoded username and password list on a trial and error basis. Once it has successfully logged in, the IoT device is then connected to a C&C server. In casting this wide net, threat actors are capable of generating bandwidth as high as possible for the upcoming DDoS attack.
Massive DDoS Attack
Researcher Bing tells of one group of threat actors who utilized the cumulative bandwidth on IoT devices. In turn, they launched tremendous 400GBps DDoS attacks on ISPs and various Brazilian targets. These IoT launched attacks they can conveniently do so with minimal research on default IoT device passcodes. Neither do they need to use reflection or amplification, yet would still come up with an exclusive group of victims within their own botnet.
ASERT’s analysis of LizardStresser activities involving the English-speaking hackers revealed that they used several thousand IoT-connected devices situated in Vietnam and Brazil. The DDoS attacks successfully hit a Brazilian financial institution, two telecommunications providers, and two government institutions. The same group has also targeted gaming sites throughout the globe including three in the US that have been victims of DDoS attacks.