Remember that Internet of Things botnet? The one known for temporarily shutting down a number of the world’s largest websites last autumn?
Well, a newer version has been detected, but as well as being able to issue DDoS attacks and the like, it’s equipped to mine bitcoin.
In the digital age, it’s possible for hackers to infect and take control of insecure Internet of Things (IoT) devices, say, toasters, cameras or other web-connected devices. They can then bundle them together into a botnet, using their combined capacity to shoot spam at websites or internet structures, slowing them down or sending them offline.
That’s what happened in a series of attacks in the fall, using the malware dubbed Mirai.
The software was open-sourced soon after – much to the dismay of security engineers – and, since then, different strains iterating on the first version of the botnet have cropped up with added abilities.
One strain, known as ELF Linux/Mirai, has now been detected mining bitcoin for a few days, according to research from IBM X-Force, the Big Blue’s cybersecurity research wing. It seems some unknown hacker (or hackers) is experimenting with using the power accumulated from IoT devices to mine the digital currency and possibly make some cash.
This could be an omen for future IoT botnet use cases, argued Dave McMillen, IBM Managed Security Services senior threat researcher and author of the report.
McMillen told :
“This ELF/Mirai variant could be appealing to others in the future due to the potentially large volume of devices that could be involved.”
The researcher noted, however, that, the botnet didn’t appear to successfully mine any bitcoin. The security team see it more like a peek at a down-the-road possibility.
So, what happened, and how did IBM spot the mining component of the botnet?
McMillen explained, saying:
“We detected a spike in command injection activity in our IBM X-Force monitored client environment data that prompted deeper investigation.”
The security team saw traffic related to an ELF 64-bit binary file., which the report describes as beginning as a “blip”, which grew in volume by 50%, but had fizzled out by day eight.
The team “dissected” the binary to discover that the Linux version of the malware is similar to the more typical Windows version.
“It was detected as a slave miner by multiple tools, however we are still investigating other properties of the variant,” McMillen added.
While there are now many variants of the botnet, ELF Linux/Mirai has extra abilities in that it can execute ‘SQL injection’ (a notorious way to take control of databases) and execute so called ‘brute force’ attacks.
But, the Linux version has an extra add-on – the bitcoin miner component (which you can see online here).
IBM speculates in the report that the botnet creators may be looking for a way to make bitcoin mining with compromised IoT devices a lucrative venture.
“Realizing the power of Mirai to infect thousands of machines at a time, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but found it to be an interesting yet concerning possibility,” a blog post explains, adding:
“One scenario could be that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.”
Although this idea is admittedly speculative, the report points to the fact that bitcoin has been used for other cybercrimes – such with ransomware, which encrypts all of a user’s computer data with a demand for payment – because it’s decentralized and is perceived as a more privacy-enhancing currency.
The tech can have more beneficial uses cases, though. For example, one company recently revealed aims to build a bitcoin botnet to help secure IoT devices, combining the cryptocurrency with technology also has the potential for less beneficial online activities.
So, how can users protect their internet-connected toasters from being enlisted as a bitcoin mining slave?
The Mirai malware exploits a surprisingly simple attack vector.
The problem is that many IoT devices come with pre-installed passwords. And, since many users never change them, all an attacker needs to do is find the default password to ‘hack’ into the devices.
McMillen’s advice is for users to change those passwords. Though, he said that he hopes that IoT companies are beginning to tackle the problem, too.
“Manufacturers could be looking for ways to manage these credentials more securely, perhaps by prompting a forced change or randomizing the default logins.”