Weekly Threat Report - 8th June 2018
Report's are drawn from recent open source reporting, see the latest report here:
Owari botnet own-goal takeover
Security researchers recently took over the large Owari botnet after its owner failed to change the command-and-control (C&C) server’s weak default credentials.
Owari is a Mirai botnet variant, designed to exploit Internet of Things (IoT) devices with weak or default passwords. Following the publication of Mirai’s source code numerous variants have been observed, often competing against each other.
Owari scans for known vulnerabilities found not just in IoT devices but in a wide range of networked devices. It infects vulnerable devices to integrate them within the botnet. Owari makes money by offering web stressing/DDoS as a service to customers via the dark web. It was also designed to search for and remove other malware already on a device. The researchers were able to analyse how Owari operates and found information on historical DDoS attacks carried out against various targets some of which were associated with rival IoT botnets.
Despite researchers gaining access to Owari’s C&C server, it will almost certainly make little difference as according to researchers most C&C botnet servers are throwaway by design, with a shelf life of about one week. Owari will probably simply appear elsewhere on the internet.
It is ironic that a malware system designed to compromise systems with weak security credentials is protected with weak credentials itself.
It is highly likely that malware developers will continue to use Mirai variants similar to Owari as a mechanism to quickly develop botnets capable of delivering DDoS attacks, data theft or into swarms of malware proxies and cryptominers.
The NCSC is working with DCMS to establish a code of practice for IoT security. You can read more about that in a recent blog.
Consumers can reduce the chances of their IoT devices being affected by Mirai-like threats by ensuring they’re using the latest software on their IoT devices and use good passwords.
Fraudsters exploiting newsworthy events
Opportunistic fraudsters have been using current events and exploiting public concern for their own financial gain.
The recent IT system problems reported by UK bank TSB led to a rise in phishing and text message scams claiming to be from the bank. These fake text messages and phishing emails often contain malicious links which direct customers straight to the scammers.
The 2018 FIFA World Cup taking place in Russia in June/July has led to a rise in phishing scams. Scammers are exploiting the willingness of football fans to pay inflated ticket prices with fake websites being set up to lure victims. Fans buying tickets from these sources run the risk of receiving fake tickets or none at all. Even more concerning, the fraudsters will acquire payment details, leaving fans exposed to further potential online fraud.
Fake World Cup-associated websites have also been set up offering accommodation, flights and 'official' hospitality at stadiums. Phishing emails have been sent advising users that they have won a World Cup Lottery and to send details and a small cash sum to claim their 'prize'. The NCSC recently published a blog outlining how fans can best secure devices and key accounts when travelling this summer.
People may lower their guard in the context of high-profile or emotionally-engaging events, making these an ideal hook for fraudsters to exploit. You need to be sure that the person reaching out is genuine, and be wary of anyone requesting personal or financial information - banks will never ask for passwords or pin numbers. If it seems too good to be true, it probably is!
The NCSC has issued guidance on phishing and how to protect yourself.