ake78 (3D & photo) - Fotolia

Russian banks hit by IoT-enabled DDoS attacks

DDoS attacks on Russian banks have been linked to IoT botnets, further confirming this worrying trend and highlighting the need for IoT suppliers to improve security capabilties

At least five Russian banks have been hit by distributed denial of service (DDoS) attacks partly enabled by hijacked internet of things (IoT) devices.

The attacks, some lasting as long as two days, were similar to the DDoS attacks on domain name system (DNS) services supplier Dyn on 21 October 2016.

The Dyn attack was enabled by an IoT botnet using the Mirai malware code, prompting fears of more widespread attacks using insecure IoT devices.

The affected Russian banks claim that online services were not disrupted, but some described the initial DDoS attacks as massive, followed up by even more powerful attacks.

Security firm Kaspersky Lab said more than a half of the botnet devices were situated in the US, India, Taiwan and Israel, while the attack came from 30 countries.

Each wave of attack lasted for at least one hour, with the longest lasting 12 hours, however the attacks peaked at only 660,000 requests per second.

“Such attacks are complex, and almost cannot be repelled by standard means used by internet providers,” Kaspersky Labs said in a statement.

David Kennerley, director of threat research at Webroot, said the attacks on the Russian banks really drive home the security issues of IoT devices.

“While attacks like these are complicated, there’s still an element of basic security that could have reduced success: password management,” he said. 

According to Kennerley, consumers and business users need to understand the importance of changing device passwords from the manufacturer’s default.

“If the default password had been changed, many of the devices that make up these botnets could not have been hijacked in the first place.

“Default passwords are inherently easy for malware to guess and as the number of connected devices continues to rise, consumers need to change them to more complex ones, otherwise we’ll be seeing a lot more of these attacks in the future,” he said.

Read more about DDoS attacks

The attacks confirmed the trend of hijacking IoT devices to bombard targeted organisations with internet connection requests with the aim of overwhelming them and making them inaccessible to users.

According to a source in Russia’s Central Bank, the botnet behind the attack included IoT devices, reports Global Research.

Security experts have used the Dyn attack to highlight the fact that a wide range of internet-connected devices are vulnerable to hijacking by attackers due to weak security mechanisms.

Vulnerable devices include surveillance cameras such as those used in the Dyn attack, as well as routers, digital video recorders (DVRs), smart TVs and even microwave ovens.

DDoS used to distract security teams

After the release of the Mirai malware code on an underground forum in early October, security experts warned of terabit-class IoT botnet-based DDoS attacks that could knock almost any business offline or disable chunks of the internet.

Surprisingly, the attacks on the Russian banks were relatively weak. Other IoT botnet attacks have been among the strongest DDoS attacks seen.

But in 2015, communications and analysis firm Neustar warned that smaller DDoS attacks can be more dangerous than a powerful attack that knocks a company offline. Smaller attacks, it said, are increasingly being used to distract IT and security teams to enable attackers to steal data or install malware on systems for use in future cyber attacks. 

Security blogger Brian Krebs believes Mirai was used to hit his news site with a DDoS attack of 620 gigabits per second (Gbps) in size on 20 September 2016. A week later, French hosting firm OVH was hit by an attack that peaked at more than one terabit or 1,000 gigabits per second.

The OVH attack set a new record and is believed to have been enabled by using the combined bandwidth of a botnet of 150,000 IoT devices, according to The Hacker News. The power of the Mirai botnet far exceeds earlier IoT botnets discovered in June 2016 to launch DDoS attacks in Brazil and the US of around 400 Gbps.

IoT security ‘far from where it should be’

Industry players need to address the security of IoT devices urgently before it is too late, according to Lorie Wigle, general manager, IoT security at Intel.

“The recent [IoT botnet] attack on Dyn should be a wake-up call,” she said at Intel Security’s Focus 2016 customer and partner event in Las Vegas. It is good that the attack has happened now, said Wigle, because it shows that the current state of IoT security is far from where it should be.

The technology industry has a window of opportunity to ensure IoT is adopted with maximum security and minimum risk, but that window is small and closing rapidly, she warned.

The issue is that IoT device manufacturers are failing to implement robust security controls from the outset, said McEvatt, senior cyber threat intelligence manager in UK and Ireland at Fujitsu.

“Anyone can use online services such as Shodan to look for vulnerable IoT devices, making organisations an easy target for low-level cyber criminals. The worrying reality is that security is often an afterthought and security fundamentals are still not being followed, such as changing default passwords,” he said.  

According to McEvatt, to help shift this mindset and make securing internet-connected devices easier for businesses, the Online Trust Alliance (OTA) has produced a framework in IoT security, offering guidance on how to secure embedded devices. 

“This introduction of a kitemark standard for IoT devices is a progressive step towards ensuring safe practice is followed and that security of such devices against these types of hacks is at a premium. This is especially important for the financial sector, which handles lots of sensitive data,” he said.

Read more about IoT security

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close