Cybercrime Archive

Attacks leveraging compromised IoT devices are growing in size, scale and frequency, report security experts at F-Secure and Trend Micro, with Mirai-related botnets a major source of trouble.

Almost three years after the Mirai internet of things (IoT) botnet was deployed in a distributed denial of service (DDoS) attack against domain name system (DNS) provider Dyn, driving multiple websites offline, its descendants dominate the IoT threat landscape, according to multiple cyber security experts.

Mirai’s source code was released on an underground forum at the start of October 2016, prompting immediate fears of huge and sustained DDoS events, and according to F-Secure, it is now the most common type of malware seen by its honeypots – decoy servers set up to lure attackers and gather their information.

“Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven’t solved the problems leveraged in those outbreaks,” said F-Secure principal researcher Jarno Niemela, who has just released a report exploring the overall threat landscape in the first six months of 2019.

“The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets,” said Niemela.

Meanwhile, writing on the supplier’s Simply Security blog, Trend Micro’s threat communications lead, Jon Clay, said monetisation of IoT threats was mainly through botnets, adding that there was “a lot of chatter within multiple undergrounds” to raise awareness of this particular attack surface.

“For consumers and organisations, be aware that devices you own are a likely target for attacks, and most likely today to be added into an existing botnet,” he said. “Mirai is the dominant IoT threat today and is likely to continue as malicious actors create variants of this malware.”

According to a newly released Trend Micro report, the impact of Mirai on the hacking community has been “profound”, virtually eliminating any incentive for malware writers to develop new IoT botnet code.

“Mirai has become the only code a would-be IoT attacker needs, which, in turn, stifled the creativity, so to speak, of cyber criminals in developing original malware,” wrote the report’s authors. “Most ‘new’ IoT botnets today are mere modifications of the Mirai code base.

“Mirai has limited the demand – and therefore the criminal market – for the same kinds of products. Few criminals are willing to pay for something they can already get for free. Therefore, non-Mirai botnets for sale are uncommon. However, this situation may change if a criminal offers an IoT botnet that has a monetisation plan built in. We have not seen this yet, but it’s not an entirely unlikely scenario.”

F-Secure said its honeypot network recorded 12 times more attack events during the first six months of this year than in the first half of 2018, with the increase driven by traffic targeting the IoT Telnet (760 million attack events) and UPnP(611 million) protocols, with most coming from devices infected with Mirai.

Meanwhile, the SMB protocol, which is more commonly used by the Eternal exploit family – first used during the 2017 WannaCry outbreak – to spread ransomware and trojans, was behind 556 million events.

According to F-Secure, a recent development has been new variants of Mirai that are engineered to infect enterprise IoT devices, such as digital signage screens or wireless presentation systems. This is a source of concern because it allows attackers access to higher-bandwidth internet connections, which means the scale of any resulting DDoS attacks is potentially much higher.

The report found that China, Germany, Russia and the US are playing host to the highest numbers of attack sources, with most attacks being directed towards Austria, Italy, the Netherlands, the UK, Ukraine and the US.

Tallying with Trend Micro’s findings, which showed Mirai is particularly dominant in the English-speaking underground, most Telnet traffic came from the US and the UK, alongside Germany and the Netherlands. Most SMB traffic, on the other hand, was found emanating from China, although this sort of data should always be taken with a pinch of salt because it is very easy, indeed normal, for attackers to route through proxies in other countries to avoid detection.


Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.

It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.

The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.

The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.

Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.

In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.

DDoS takedowns

An attack this big is sometimes called a ‘takedown’ (not be confused with legitimate takedowns connected to content), a relatively rare event intended to bring a well-known site’s operation to a halt for as long as possible.

Why Wikipedia? Most likely, because someone out there doesn’t like Wikipedia. As the site’s owners, Wikimedia, put it in a brief statement:

We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.

Less likely, a DDoS-for-hire outfit decided to use a famous site like Wikipedia as a look-what-we-can-do advert for their services at the considerable expense of revealing much of the botnet designed to host such attacks.

Given that the attack persisted into the weekend, it’s not surprising that Wikimedia called for help from Cloudflare, the zero-cost mitigation provider for sites that can claim to have a public purpose.

By Sunday, ThousandEyes noticed, Wikipedia’s servers were being ‘fronted’ entirely by Cloudflare, which deploys anti-DDoS technology to identify bad traffic and throw it away.

Interestingly, big DDoS takedowns have become somewhat less frequent these days, presumably because all sites that consider themselves targets employ mitigation companies to defend themselves.

But, at the very least, the Wikipedia attack is a warning that the people who carry out these attacks have not given up on trying.



Wikipedia, the seventh most popular website in the world, went offline in several countries on Friday because of a cyber attack.

Wikipedia Hit By DDOS Attack

The online encyclopedia confirmed that a malicious attack was behind outages of the site in Europe and some parts of the Middle East.

The attack appears to have started before 7 p.m. BST on Friday and left the site inaccessible to users in the UK, France, Germany, The Netherlands, Italy, and parts of the Middle East.

In a tweet, Wikipedia said the Wikimedia server of Wikimedia Foundation that hosts Wikipedia was paralyzed due to a massive Distributed Denial of Service (DDOS) attack. Wikimedia Foundation, the nonprofit organization behind Wikipedia, corroborated this in an official statement.

“Today, Wikipedia was hit with a malicious attack that has taken it offline in several countries for intermittent periods,” Wikimedia Foundation said. “We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.”

The attack was still ongoing when the statement was released on Friday, Sept. 7. Wikimedia Foundation said the Site Reliability Engineering team is still working to stop the attack and to restore access to the site.

DDOS Attack

A DDOS attack occurs when a server receives more access requests than it can handle, which disrupts its normal functioning and causes server performance to slow down, or eventually not able to work at all.

The botnets that try to access the website all at the same time can be composed of tens of thousands of computers that may have been compromised by hackers without the knowledge of their owners.


Wikipedia is one of the most popular websites based on Alexa’s ranking as of June 2019. It was initially an English language encyclopedia when it was launched in January 2001. Today, Wikipedia has more than 40 million articles in 301 different languages.


A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet.

Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions.

Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. The group is said to have monetized these efforts by selling access to the botnet to others.

Court documents claim Schuchman’s speciality was in finding new vulnerabilities in IoT devices which could be exploited to conscript them into the botnet.

Satori was originally developed using the source code for Mirai, which was released online in 2016. However, Schuchman — who went by the moniker “Nexus” and “Nexus-Zeta” — and co-conspirators “Vamp” and “Drake,” built upon that code with new features, eventually compromising 100,000 devices.

Continually improving the botnet, they gave new names to the new iterations, such as “Okiru” and “Masuta” — with the latter eventually infecting as many as 700,000 endpoints.

By around March 2018, the botnet had evolved into Tsunami/Fbot, supported by tens of thousands of compromised Goahead cameras and High Silicon DVR systems.

Schuchman doesn’t seem to have employed particularly effective OpSec during his work: the control server he used was registered in his name.

Even after being indicted in August 2018, he developed another IoT botnet, Qbot, while on supervised release, the court docs claim. He’s also said to have called in a swatting attack on “Vamp’s” home.

Several sources have told journalist Brian Krebs that UK-resident Vamp was involved in the 2015 attack on TalkTalk and the 2016 Mirai DDoS that overwhelmed DNS service provider Dyn, leading to some of the internet’s biggest websites crashing.


LIHKG, one of the most important websites used to organise pro-democracy protests in Hong Kong, has been hit with a DDoS attack that temporarily took the forum offline this past weekend. And while no one knows for sure who’s behind the attack, we can take an educated guess. The Chinese government is very unhappy, to say the least, about the protests in Hong Kong that have been raging since June.

The DDoS attack, first reported by Bloomberg News, flooded the website’s servers for hours over the weekend, making it impossible for people to log on. The website reports that “some of the attacks were from websites in China.”

LIHKG has been a crucial online forum for the protesters, who are demanding democratic rights under the region’s “one country, two systems” arrangement with China. Protesters even conduct polls on the site to settle disputes about tactics in the leaderless protest movement.

“LIHKG has been under unprecedented DDoS attacks in the past 24 hours,” a statement posted to LIHKG reads. “We have reasons to believe that there is a power, or even a national level power behind to organise such attacks as botnet from all over the world were manipulated in launching this attack.”

The website says that they were hit with 1.5 billion requests on 31 August over a 16 hour period and has urged users to switch to the mobile website version of the forum if the smartphone app isn’t working properly.

The Chinese government is believed to have been behind a similar attack on the messaging service Telegram that happened back in mid-June. The people of Hong Kong have been waiting with dread for China’s People’s Liberation Army (PLA) to invade the semi-autonomous region, as the military has amassed troops just over the border in Shenzhen. It’s not clear whether the PLA will actually invade, but there have been hints by top government leaders over the past few weeks.

LIHKG has been vital for the protesters who use the motto, “Be Water,” a reference to staging civil disobedience in one part of Hong Kong to attract attention before dispersing and quickly moving to another part of the city. The tactic forces police to respond in faraway places and the protesters are often gone by the time the authorities arrive. These fast-adapting methods of protest are only made possible through online organising on services like LIHKG.

YouTube recently dismantled what it called an “influence operation” that may have been operated by the Chinese government to sway western opinion about the protests. Chinese state media have also complained that they’re being discriminated against on US-run social media like Twitter and Facebook, a rather ironic complaint given the fact that mainland Chinese citizens aren’t allowed to access those websites. China’s largest state-run media outlet, Xinhua News, was buying ads on Facebook to smear protesters as violent hooligans before the social media company declared it would no longer take money from the organisation.

Hong Kong’s top politician, Carrie Lam, was caught on audio over the weekend saying that she wished she could quit the job, but was unable. Most Hong Kongers interpreted that to mean Beijing is in control and won’t let her quit. China’s leader, Xi Jinping, took power in 2012 and has done nothing to liberalise the country as some had hoped, instead his regime has delivered strong economic results under tight government control which has kept the wealthy happy.

The young people of Hong Kong realise that this may be their last opportunity to stand up for their rights before Beijing exerts total dominance on the region. And they’ve sworn that they won’t give up.

All we can say as outsiders is that we hear you, we see you, and we’re with you in spirit. Stay strong, Hong Kong.