Over the past several weeks there has been a lot of talk in the media about DDoS attacks, especially “Mirai malware,” botnets for rent, Chinese-built webcam recalls and the “destructive power” of the Internet of Things (“IoT”). For the uninitiated (or disinterested), this sounds like a lot of “tech talk” reserved for real and wannabe tech geeks (like me) to ruminate about.
The very real reality, however, is that these recent, high profile IoT (connected device)-driven DDoS (distributed denial of service) cyberattacks are very much a “business” matter for business leaders to address, as these attacks have the potential to disrupt operations for significant periods of time, and to cause physical harm to corporate assets and even personnel.
By way of background, here is a short, quick list of recent events that have highlighted this threat:
- September 2016 – online cybersecurity blogger Brian Krebs‘ website KrebsOnSecurity.com was “the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline…” (Source: KrebsOnSecurity.com, September 21, 2016).
- October 2016 – Twitter, Netflix, Airbnb and a number of other major sites went dark after two massive DDoS cyberattacks on Dyn, an Internet performance management company that routes internet traffic for companies around the world. “The massive outage drew the attention of the FBI which said [ ] it was ‘investigating all potential causes’ of the attack.” (Source: CNN, “Widespread cyberattack takes down sites worldwide,” by Sara Ashley O’Brien, October 21, 2016).
- October 2016 – days after the Dyn DDoS attack, Chinese electronics firm Xiongmai initiated a product recall of some of its products, including webcams, which were blamed as being the devices used to implement the attack. “The root of the attack, which took the form of a distributed denial of service attack (DDoS), was a network of hacked “Internet of Things” devices, such as webcams and digital recorders, many of which were made by Xiongmai.” (Source: theguardian.com, “Chinese webcam maker recalls devices after cyberattack link,” October 24, 2016).
- November 2016 – hackers began to advertise a DDoS-for-hire service, allowing cybercriminals to rent an upgraded version of the malware used in the Dyn and other recent DDoS attacks (known as Mirai) to carry out their own attacks. (Source: bleepingcomputer.com, “You Can Now Rent a Mirai Botnet of 400,000 Bots, by Catalin CimpanuNovember 24, 2016).
- December 2016 – a new “monster botnet [was] spotted in the wild launching massive DDoS attacks…Security experts at CloudFlare said the emerging botnet is not related to Mirai, but it is capable of enormous distributed denial-of-service attacks. The company has so far spent 10 days fending off DDoS attacks aimed at targets on the US West Coast.” (Source: Computerworld, “New botnet launching daily massive DDoS attacks,” by Darlene Storm, December 5, 2016).
What these events of the past 90 days show us is that cyberthieves have (most would say, predictably) managed to combine a known, common (and mostly defensible) cyberattack method (DDoS) with the Internet of Things (a world of connected devices) to launch massive, historic-by-proportion cyberattacks against organizations around the world. More specifically, attackers can now use unsecure, commonplace devices such as webcams, refrigerators, and fax machines as conduits to launch massive traffic attacks that can disrupt and shut down businesses whose systems are connected to or dependent on the Internet.
Because the overwhelming majority of organizations and businesses alike are, in fact “connected to or dependent on the Internet,” this means that IoT-driven DDoS cyberattacks now represent a major cyberthreat to the business community. Savvy, informed leaders will be quick to recognize and understand this threat, and to work with their IT teams and the organization’s IT partners and providers to understand just how vulnerable they in this environment. Steps should be taken to identify vulnerabilities and to put in place incident response plans so that everyone within the organization knows who should be doing what and when and with whom in the event of such an attack.
IoT-driven, mass-traffic DDoS cyberattacks are technical in nature, but their impacts are not. Organizations who understand and recognize this reality will be better prepared and ready if and when they do face this twisted, criminal effort.