Attack of Things!
by Level 3 Threat Research Labs
August 25, 2016
https://web.archive.org/web/20161003194500/http://blog.level3.com/security/attack-of-things/
| Notes |
|---|
| Internet |
| IoT |
| Level 3 |
| threat research |
| malware |
| Linux malware |
| DDoS |
| botnet |
| BASHLITE, Lizkebab, Torlus, gafgyt |
| command and control |
| C |
| cross compile |
| embedded system |
| architecture |
| IRC |
| IRC C2 |
| vulnerability scanning |
| port scan |
| telnet |
| brute force |
| username, password |
| SSH |
| SSH brute forcing |
| leaked source code in early 2015 https://github.com/hammerzeit/BASHLITE |
| Lizard Squad |
| Poodle Corp |
| DDoS as a Service |
| DVR |
| IP camera |
| web interface |
| default credentials |
| low-hanging fruit |
| wget |
| busybox |
| payload |
| Taiwan |
| Brazil |
| Colombia |
| H.264 DVR |
| white-labeled |
| Dahua Technology |
| router |
| Flashpoint |
| tracked C2 due to hard-coded c2 addresses within samples |
| botnet takedown |
| botnet operators seemingly unphased by takedowns because its easy to start over |
| median active time of C2 is around 13 days |
| booter |
| UDP flood, TCP flood |
| bandwidth |
| HTTP DDoS |
| webserver |
| some IoT devices have hard-coded credentials that cannot be changed |
| review devices before purchase |