When a tremor wobbles the ground underneath your feet, it’s easy to keep your head down, keep typing, do whatever it is you were already doing. Perhaps someone just dropped something very heavy a ways away, that’s all.
But if you do keep your head down and the tremor turns out to be more than that — if it turns out to be a sign of some greater calamity headed your way — it’s hard to blame anyone but yourself, right?
This is not a story about tremors, but it is perhaps a story about warning signs of a more dangerous internet, the latest of which involves a hacker or group of hackers offering to cripple the digital life of any website or organization or person to anyone who can afford their services.
This person or group, who go by the names BestBuy and Popopret, recently spammed an ad to folks on Jabber, an instant messaging service. They offered to perform a distributed denial of service (DDoS) attack on whomever their client(s) wanted, and they backed up their offer by claiming to wield the ability to perform some of the strongest DDoS attacks ever seen. Recent events in the history of the internet show us that these kind of attacks — if these hackers indeed have the power they claim — can wreak internet havoc by blocking user access to a range of some of the web’s most popular destinations. Slowly but steadily, we’ve begun to understand just how disruptive they can be, and, now that the tools to launch such attacks are available to the public, we’re starting to see just how often they can be deployed.
“Are we going to see more of this?” asked Justin Fier, the director of cyber intelligence and analysis at Darktrace, a cybersecurity firm. “Absolutely.”
One of the biggest internet tremors felt or read about happened back in September. Then, one of the largest DDoS attacks ever recorded blasted kresbsonsecurity.com, the home of independent cybersecurity journalist Brian Krebs.
In some sense, after the initial chaos and probable anxiety the attack caused, the attack’s target may have been a little bit of a blessing. Krebs (for obvious reasons) took an interest in the attack that tried to knock him offline, and through him and other outlets this growing phenomena began to be illuminated.
DDoS attacks have been around for a long time, but this one was different in notable ways. First, this DDoS attack wielded the power of “internet of things” devices, not compromised servers, as is more traditional. Internet of things devices comprise many of the things around us all the time — temperature control devices, smart refrigerators, CCTV cameras, to name just three. Those devices are almost always poorly secured, meaning hackers can break into thousands of them and use them to send junk data at one website, blocking normal users just trying to log onto that same site as they go about their daily business.
And if the attack on Krebs’s site was an initial tremor felt or heard about by many, a much larger tremor was felt by many not long after.
On Oct. 21, a Friday, if you were on a computer in an office somewhere in the United States, chances are you were having some internet trouble. That trouble stemmed from a gigantic multi-wave DDoS attack on Dyn, a hugely important company that not many people had heard about until that day. Dyn provides the ability for an average internet user to access some of the most popular sites on the internet. When you type “twitter.com” into your web browser, for example, Dyn reads those keystrokes and takes you where you want to go. A hacker or group of hackers obviously understood this, and blasted Dyn with a deluge of “junk data,” preventing internet users from accessing Twitter, Spotify and other immensely popular sites.
A couple things about this attack are worth noting, beyond the obvious chaos. First, the attack caused a media frenzy, and if you think the public noticed, you can bet a bunch of hackers looking to test out some new tools also took notice. Second, the malware known as Mirai, which is used to find hackable bots and weaponize them to take down websites is publicly available for use and modification, meaning the technical barriers to entry for those looking to perform such attacks or sell their services are lower than one might think.
“Any time we see any of these DDoS attacks get a lot of publicity … we often see these DDoS contract services pick it up,” John Miller, a manager of financial crime analysis at FireEye, a cybersecurity firm, told Mashable.
Which brings us back to the hacker or hackers known as Popopret and BestBuy, offering a massive attack service to whomever is willing to pay for it.
According to their ad, their botnet — a network of infected computers — has 400,000 devices and their services come with additional tricks to prevent victim sites from using traditional defenses. If true, that means their botnet is a bit like the publicly available source code on steroids. The original maxed out at 200,000 devices.
The hacker(s) require customers to buy their services for a minimum of two weeks, which could be considered a long time when you think about the tumult caused by one day of an attack on Dyn. The prices vary and will depend on the duration of attacks and how much time is spent between those attacks, though the hacker(s) did provide an example of cost to Bleeping Computer.
“…price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks.” As you can see, this is no cheap service.Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet’s backend, where he can connect via Telnet and launch his attacks.”
It is, of course, possible that these guys are jokers and have nothing close to the abilities they claim. But Bleeping Computer certainly thinks otherwise. The names used suggest they have ties to an infamous hacking forum, and there are also indications they knew about the Mirai source code used in these attacks before it became publicly available. The folks at Bleeping Computer conclude that these people (or this person) run the largest known Mirai botnet, and is offering this digital weapon to anyone with some cash and an axe to grind.
That in and of itself is not necessarily something that can change the fundamental day-to-day operation of the internet, and government agencies have gotten much more adept at tracking cyber crime than they were, say, a decade ago. But these people have now provided a for-hire cybercrime model wherein hackers with a limited amount of skill can sell a cyber weapon to make money at the expense of the businesses or industries or even simply the time of others.
“It’s a business,” Kenneth Geers, a senior research scientist at Comodo, a cybersecurity firm, told Mashable. “They will experiment and find the right sort of victim, so it’s definitely a problem.”
Maybe this kind of business model won’t proliferate, but we’ve already begun to experience some tremors.