Information Security News
Last week, Ars introduced readers to Hajime, the vigilante botnet that infects IoT devices before blackhats can hijack them. A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet's most advanced IoT botnet.
As previously reported, Hajime uses the same list of user name and password combinations used by Mirai, the IoT botnet that spawned several, record-setting denial-of-service attacks last year. Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems."
But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape. Wednesday's technical analysis, which was written by Pascal Geenens, a researcher at security firm Radware, makes clear that the unknown person or people behind Hajime invested plenty of time and talent.
When Congress held hearings following the breach of the systems of the Office of Personnel Management (OPM) in 2015, one of the issues that caused great consternation among lawmakers was that the OPM had failed to implement two-factor authentication for employees, particularly when using virtual private networks. Federal information security standards in place at the time called for strong user authentication for any federal information system, but the OPM hadn't figured out how to implement two-factor authentication principles—something users know (a password), plus something they have (which, in government, is typically a "smartcard" ID with digital authentication keys programmed onto a chip).
The OPM wasn't alone. While the Department of Defense began issuing Common Access Cards in 2008 to be used for two-factor authentication on DOD systems and to control physical access to DOD facilities, most of the civilian agencies of the US federal government still hadn't implemented their own smartcard (Personal Identity Verification, or PIV) systems at the time of the OPM breach.
The Government Accountability Office repeatedly warned of gaps in federal information security, including the lack of two-factor authentication on critical federal systems like those at OPM. And during President Barack Obama's "cyber-sprint," many more agencies did roll out smartcards for authentication.
Setting up a Microsoft SQL server with a stupid simple password like sa for the sa user is hard. First of all, Microsoft implemented a default password policy that you need to disable. And then, when you finally Googled your way through how to disable it width:300px" />
A little bit odd is the distribution in TTLs. I am still trying to see if this is just an artifact in how I collected the data. Since MSSQL typically runs on Windows, I would expect the scans to originate from Windows systems that got compromised by this bot/worm. But instead, the majority of TTLs are just short of 255. So not even the Unix standard width:300px" />