Web security service provider Sucuri exposed a botnet which was hacking thousands of CCTV cams worldwide and conducting DDoS attacks on small-business websites!
Sucuri was contacted by a small business owner (jewelry shop) who had their website DDoSed and forced to stay offline for days — Researchers found out that jewelry shop website was not the only one under attack, in fact, thousands of websites were under DDoS attack through 25,000+ hacked CCTV cameras.
It all started when Sucuri Network was asked to investigate a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS) on a jewelry shop. Upon moving their DNS to Sucuri server the firm managed to mitigate the attack swiftly.
After analysing the attack, researchers found 25,000 unique IP address from Israel (5%), Italy (5%), Vietnam (2%), France (2%) and Spain (2%), Malaysia (6%), Mexico (8%), Indonesia (9%), United States (12%) and Taiwan (24%). These top 10 countries only accounted for 75% of the locations, and the other 25% were spread to another 95 countries (105 in total).
Another interesting aspect exposed in the analysis is that cybercriminals were also using IPv6 in their DDoS operation. Daniel B. Cid, the Founder & CTO of Sucuri explained ”We don’t see many DDoS attacks leveraging IPv6 yet, and another thing that surprised us as we saw quite a few of these devices coming from IPv6. It wasn’t a big number, but almost 5% of all DDoS attack IP addresses came via IPv6. That’s a change we expect to keep happening as IPv6 becomes more popular.”
Sucuri didn’t mention how exactly those CCTV cameras were hacked however, hackers using IoT devices for DDoS attacks is not something new but it’s not common either. In 2015, researchers from Incapsula discovered cybercriminals hacked 900 CCTV cameras due to their weak credentials and used them as Distributed Denial of Service (DDoS) botnet operating around the world.
If you are a website owner and receiving DDoS attacks contact firms like Sucuri or Incapsula — If you own a CCTV camera make sure to remove default login and password and use strong login credentials to avoid them from being misused.