Executive Summary

In 2023, ransomware was the focus for many organizations. While ransomware is still a major concern, other threats such as botnets are beginning to draw attention. For some time, the leading force behind the most significant distributed denial of service (DDoS) botnet attacks has been Internet of Things (IoT) devices. This is a threat that won’t go away, as many IoT device manufacturers still release products that cannot be properly secured.

In 2022, we saw the Kraken botnet steal data from Windows hosts. We also saw the Emotet botnet return using TrickBot to install malware on infected Windows systems, attacking several organizations within the finance and education sectors. This year, researchers say that the era of botnets has arrived, as new threats and attack techniques emerge. [1]Microsoft reported seeing a growing trend in which DDoS attacks are being utilized to divert attention and mask more sophisticated attacks happening at the same time, such as data theft and extortion.

Due to the growing concern, organizations need to take action to protect their networks and data from botnets, however, before doing so, they need to understand the threats they face. Recently, the Mirai and HinataBot botnets have been the focus of discussion among security professionals. Let's explore the inner workings of both botnets to understand why.

[1] 2022 in review: DDoS attack trends and insights - Microsoft Security Blog

 

TIR Snapshot-Apr-04-2023-06-33-25-1769-PM

 

 

mirai botnet

In September 2016, the creators of the Mirai malware launched a DDoS attack on the website of renowned security expert, Brian Krebs. Seven days later, they made the source code available to the public, in an effort to hide the source of the attack. The source code was immediately replicated by other cybercriminals and is thought to be the cause of the massive attack that caused the domain registration services provider, Dyn, to crash in October 2016. These high-profile attacks quickly earned Mirai notoriety.

Botnets are a collection of hijacked computer devices that are connected to form a network. This network is used to conduct various cybercrimes, such as data theft, server crashing, and malware distribution. The term “botnet” comes from the words “robot” and “network” and is typically the first step in a multi-stage attack. The bots are used to automate the process of carrying out malicious activities.

Mirai works by scanning the internet for IoT devices running a simplified version of Linux on ARC processors. Mirai uses a dictionary attack of default usernames and passwords to gain access to devices that have not had their credentials updated. What’s interesting about Mirai’s 2016 attacks is that they were executed through IoT devices such as home routers, personal surveillance cameras, and air-quality control monitors. At the botnet’s peak, Mirai infected over 600,000 IoT devices.

 

Image 1: Mirai Attack Timeline

Mirai Attack Timeline

Source: CloudFlare

 

Once a device has been infected Mirai acts as a self-propagating malicious worm and continues to spread by scanning for and infecting other vulnerable IoT devices. The two main components of Mirai are a replication module and an attack module. Mirai initially compromised devices by brute-forcing a fixed set of 64 default login/password combinations that were commonly used by IoT devices. This low-tech attack was highly successful.

After Mirai’s source code was leaked, researchers at Imperva created a strong signature to identify Mirai’s activity on their network. After examining their logs, they found that the botnet was the source of several GRE floods that their service was able to contain. The attack was conducted with a hit-and-run approach, and the peak of the attack was 280 Gbps and 130 Mpps, which is a sign of a very powerful botnet.

The researchers also found that 49,657 distinct IP addresses hosted Mirai infected devices. The devices were primarily CCTV cameras – a popular choice of DDoS botnet herders. Other affected devices included DVRs and routers. The IP addresses were located in 164 countries and were highly dispersed, appearing in remote locations such as Somalia and Tajikistan.

According to Imperva, Mirai’s command and control (C2) code is written in Golang, while its bots are written in C language. Mirai's attack function allows it to launch HTTP floods and different network (OSI layer 3-4) DDoS assaults. When executing HTTP floods, Mirai bots hide behind the following default user-agents:

tr2-1

Mirai can execute attacks on the network layer, such as GRE IP and GRE ETH floods, SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods, and UDP floods. The botnet also has bypass capabilities, which allows it to evade security solutions. It’s also important to mention that Mirai’s code contains traces of Russian-language strings even though its C2 interface is in English.

In March 2019, the Federal Bureau of Investigation (FBI) identified the creators behind the Mirai botnet and arrested them. This led to a decrease in the botnet's activity, yet the open-source code was still available, allowing other groups to create their own versions of the malicious software.

 

 

hinatabot

In March 2023, it was reported by Akamai's SIRT security researchers that they had discovered a Golang based malware called HinataBot in their HTTP and SSH honeypots. According to Akamai, the sample stood out because of its large size and the fact that it was difficult to identify. The malware was named after a character from the anime series Naruto, with file names like "<Hinata-<OS>-<Architecture>".

Believed to have been created by former Mirai hackers, HinataBot has been seen exploiting known vulnerabilities to breach routers and servers, and then, as with Mirai, employing them to launch distributed DDoS attacks. HinataBot is spread using different techniques, such as taking advantage of open Hadoop YARN servers and weaknesses in Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215).

The operators behind HinataBot have been active since December 2022. Initially, they tried to use a generic Golang-based variant of the Mirai botnet, but then switched to their own custom malware on January 11, 2023. Akamai stated that HinataBot is still in development and is advancing in complexity. Recently discovered artifacts contain more modular features and improved security measures to make them more difficult to analyze.

Despite only being in development since January 2023, HinataBot is considered to be more powerful than Mirai. During its peak, Mirai was able to bombard its targets with an obscene amount of traffic, reaching up to 623 Gbit/s for the KrebsOnSecurity website and almost 1 Tbit/s against the French web host OVH. This colossal surge of data was made possible by a collection of approximately 145,000 bots, which can target a victim with an impressive degree of coordination.

After Akamai researchers conducted a brief 10-second trial assaults to assess the comparative strength of HinataBot, their findings revealed that "If the botnet comprised only 1,000 nodes," the resultant UDP flood would register about 336 Gbps per second.” With less than 1% of the resources, HinataBot can already generate traffic that is nearly as intense as the most brutal attacks of Mirai.

Most malware is written in C++ or C language. HinataBot however, is written in Golang - an example of how threat actors are taking new approaches to writing malware. Golang is a relatively new language and is more difficult for security professionals to reverse, one of the factors making it more attractive to malware authors. According to Akamai, attackers take advantage of Golang’s exceptional performance, capacity for multi-threading, its cross-compilation support for different architectures and operating systems, and its ability to add complexity during compilation, making it more difficult to reverse engineer resulting binaries.

Similar to other DDoS botnets, HinataBot connects with a C2 server to listen for instructions and launch attacks directed at a target IP address for a specific period of time. In the initial stages, HinataBot utilized various protocols including HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, but the most recent version only utilizes HTTP and UDP. It is not clear as to why the former protocols are no longer used.

 

Image 2: Discovering the C2 Server

Discovering the C2 Server

Source: Akamai

 

HinataBot is a prime example of the dynamic threat landscape, particularly relating to botnets. Malware creators are constantly innovating their use of implementation methods, programming languages, and distribution strategies.

 

 

defense against botnets and securing iot devices

Like Mirai, HinataBot exploits old vulnerabilities and uses brute-force to gain access to systems using weak passwords. This demonstrates the importance of having robust password policies and timely patching. Since attackers often seek easy targets with maximum gains, increasing the difficulty of their success can enhance the security of both your infrastructure and the internet.

Because DDoS attacks are inexpensive to launch, they are becoming more frequent and more sophisticated. In 2022, we witnessed an unprecedented surge in botnet and DDoS attacks, primarily due to inadequately secured IoT devices. [1]A recent study conducted by Imperva revealed a significant uptick in the frequency of layer 7 DDoS attacks, with a staggering 81% increase in attacks that reached a minimum of 500,000 requests per second (RPS) over the past year. The study also revealed a threefold increase in application layer DDoS attacks from Q1 to Q2 of 2022, again highlighting the alarming rate at which DDoS botnet attacks are escalating.

Many don’t realize that IoT devices are mini computers linked to other vulnerable devices. Mirai was successful with attacks due to vulnerable IoT devices. Threat actors know that most organizations do not regularly monitor IoT devices such as printers, office phone systems, security cameras, or scanners. This security loophole enables the threat actors to infiltrate the environment unnoticed and evade detection. While researchers do not believe that HinataBot will be another Mirai, some might say that it’s too soon to draw that conclusion.

 

“I don't think we're going to see a case of another Mirai, unless they get creative in how they're distributing and their infection techniques. We're not going to see another 70,000 or 100,000-node, Mirai-like threat from the Hinata authors under their current tactics, techniques, and procedures.”

On the contrary, Seaman also stated “It may just be an introductory phase, right? They're grabbing at low hanging fruit so far, without needing to go out and do anything really novel yet." - Chad Seaman Principal Security Researcher at Akamai

 

There are several things that you can do to successfully monitor IoT devices:

  • Tracking changes in real time – Looking at a static network map of a network won’t give you much visibility. You need to be able to see everything your network monitoring tool is doing, such as data flow and regular pins as devices interconnect.
    • Alerts are helpful, but a real-time view allows you to monitor changes to the network and devices, as well as see changes in network traffic. This saves time and can identify problems that were difficult to find previously.
  • Prevent the use of default credentials - By doing so, hackers cannot easily construct a credential list to compromise multiple devices, as seen in the Mirai attacks.
  • Inventory assets and run network discoveries frequently Keeping track of physical assets is important, especially when it comes to IoT devices. Running a network discovery scan that automatically generates a network inventory beats manually counting every connected device on an organization’s network. Manual asset inventories are less likely to have an up-to-date view of the network and an organization is less likely to be able to recognize or react to changes – translating to material loss for IoT devices.

  • Device roles for accurate device profiles – The easiest way to reduce labor and administrative nightmares with discovery scans is by configuring device roles for devices you want to add to a network BEFORE you add the devices to the network. Doing this will allow you to add devices in bulk, allowing the monitoring tool to automatically recognize them and apply monitoring configurations.

  • Make auto-patching mandatory - Since IoT devices are often “set and forget”, manual patching is impractical. Auto-patching is the only viable option to ensure that vulnerabilities are promptly fixed and cannot be used to take down a significant portion of the internet.

  • Implement rate limiting - Login rate limiting can be used to mitigate the use of weak passwords in brute-force attacks. Another option is to implement captcha or proof of work mechanisms.

The aforementioned techniques, in conjunction with a robust IoT security plan, should give your organization better control over IoT devices.

[1] 81% Increase in Large-Volume DDoS Attacks | Imperva

 

 

how avertium is protecting our customers

  • MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step.

  • Penetration testing will help your employees understand malware and will help prevent attacks. It’s easier for an organization to avoid malware if employees understand the “what” and “why” behind it.

  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it's an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.

 

 

INDICATORS OF COMPROMISE (IoCs)

IP Addresses

  • 77[.]73[.]131[.]247
  • 156[.]236[.]16[.]237
  • 185[.]112[.]83[.]254

Ports

  • 61420
  • 1420

File Names

  • tftp.sh
  • wget.sh
  • hinata-linux.amd64
  • hinata-windows-arm5
  • hinata-plan9-arm5
  • hinata-openbsd-arm5
  • hinata-netbsd-arm5
  • hinata-linux-arm5
  • hinata-freebsd-arm5
  • hinata-windows-arm7
  • hinata-windows-arm64.exe
  • hinata-windows-arm6
  • hinata-windows-arm
  • hinata-windows-amd64.exe
  • hinata-windows-386.exe
  • hinata-solaris-amd64
  • hinata-plan9-arm7
  • hinata-plan9-arm6
  • hinata-plan9-arm
  • hinata-plan9-amd64
  • hinata-plan9-386
  • hinata-openbsd-mips64
  • hinata-openbsd-arm7
  • hinata-openbsd-arm64
  • hinata-openbsd-arm6
  • hinata-openbsd-arm
  • hinata-openbsd-amd64
  • hinata-openbsd-386
  • hinata-netbsd-arm7
  • hinata-netbsd-arm64
  • hinata-netbsd-arm6
  • hinata-netbsd-arm
  • hinata-netbsd-amd64
  • hinata-netbsd-386
  • hinata-linux-s390x
  • hinata-linux-riscv64
  • hinata-linux-ppc64le
  • hinata-linux-ppc64
  • hinata-linux-mipsle
  • hinata-linux-mips64le
  • hinata-linux-mips64
  • hinata-linux-mips
  • hinata-linux-arm7
  • hinata-linux-arm64
  • hinata-linux-arm6
  • hinata-linux-arm
  • hinata-linux-amd64
  • hinata-linux-386
  • hinata-js-wasm
  • hinata-illumos-amd64
  • hinata-freebsd-arm7
  • hinata-freebsd-arm64
  • hinata-freebsd-arm6
  • hinata-freebsd-arm
  • hinata-freebsd-amd64
  • hinata-freebsd-386
  • hinata-dragonfly-amd64
  • hinata-darwin-arm64
  • hinata-darwin-amd64
  • hinata-android-arm64
  • hinata-aix-ppc64

Recent Hashes

  • 01422e34b2114c68cdb6ce685cd2e5673bbe5652259a0c4b862d5de2824a9375
  • 1b958fd718f1419700c53fed10807e873e8399c354877b0a3dfceac7a8581456
  • 8a84dc2a9a06b1fae0dd16765509f88f6f54559c36d4353fd040d02d4563f703
  • 4aba67fdd694219ff0dff07ebd444ed154edacc00c3a61f9b661eabe811a0446
  • 71154ad6bd1a8a79fc674c793bb82b8e7d1371eca0f909c6e4a98ef8e7f5d1da
  • c6a7e25290677cc7b9331343166b140f2c320764a815b241747e6913b1a386d9
  • 92adfbe6aae06d7c99469aeb6551db8eee964b589f2b8774e29d987cfbd0e0d6
  • 8eda08ce362c09b5f45772467f94d5370068c1798f78c5316f15647ac898c621
  • ff7638c0c893c021c3a059a21a71600249881afd84dc0d751d99db1c8edd3cac
  • a3fac6fea9201c3c3eaae47bd95e0be93e91298e48df75540958834f9e75ac4d
  • 9875bb9dd6d159a3b327de80e151ef7f3831c0d6833ae781490d68e426b73680
  • 6ec35ef48ffdf9a92aa8845c336b327c280e1f20d7130ba0856540aed3233bbc
  • C0aa34dd8dbf654d5230d4ef1db61f9befc89a0ea16cb7757edbf8a8090c9146
  • 5643bf01e113de246575a9ec39ea12a85f9babb6ac069132ad8d1a7bfa56ed1b
  • 845134ee7335f07b23e081f024cad5cbfc9ef453d6e2adc7970d6543292e5bcc
  • 995681f388f5e0a405c282ae9ce22dc41f2249f0f5208254e1eec6e302d7ad7d
  • 07326cce5325eabbe1caa2b3f8a4ab78e7913b65703c0afc3bab808441c30688
  • 61181b4b7b7040ce4ab9c489a2b857f5a7fe8407c422327fff798f3b55e0cbe3
  • 75c050580725279a6592eecc2b02b6fa78f5469c2f08fb1d0e2fe616beb8bf0d
  • E3427838132b6161f10e77d0beca1beac90c63a8ccc4aabd523041aec25aab67

 

 

SUPPORTING DOCUMENTATION

Uncovering HinataBot: A Deep Dive into a Go-Based Threat | Akamai

Breaking Down Mirai: An IoT DDoS Botnet Analysis (imperva.com)

What is a Botnet? (kaspersky.com)

An In-Depth Look at the Emotet Botnet (avertium.com)

Flash Notice: Emotet Botnet is Back with New Spam Campaigns (avertium.com)

IoT-Based DDoS Attacks Are Growing and Making Use of Common Vulnerabilities - CPO Magazine

Inside the infamous Mirai IoT Botnet: A Retrospective Analysis (cloudflare.com)   

FBI: How we stopped the Mirai botnet attacks | TechTarget

What was the Mirai botnet | Malwarebytes

New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks (thehackernews.com)

Mirai Botnet Attack IoT Devices via CVE-2020-5902 (trendmicro.com)

Heightened DDoS Threat Posed by Mirai and Other Botnets | CISA

Mirai Hackers Use Golang to Create a Bigger, Badder DDoS Botnet (darkreading.com)

What is the Mirai Botnet? | Cloudflare          

Defending Against IoT DDoS and Botnet Attacks: Tips for SLGs | StateTech (statetechmagazine.com)

2022 in review: DDoS attack trends and insights - Microsoft Security Blog

Defending against a growing botnet and DDoS epidemic in 2023 | VentureBeat

Mirai Botnet Shows Just How Vulnerable the IoT Really Is – IoT Security Foundation

 

 

Related Resource:

 

     

 

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.

Chat With One of Our Experts




Threat Report Botnet Mirai Botnet HinataBot Blog