Mirai Botnet Proliferation
Mirai was responsible for the fourth quarter’s highly publicized DDoS attack on Dyn, a major DNS service provider. Mirai is notable because it detects and infects poorly secured IoT devices, transforming them into bots to attack its targets.
The October public release of the Mirai source code led to a proliferation of derivative bots, although most appear to be driven by script kiddies and are relatively limited in their impact. But the source code release has also led to offerings of “DDoS-as-a-service” based on Mirai, making it simple for unsophisticated yet willing attackers to execute DDoS attacks that leverage other poorly secured IoT devices. Mirai botnet-based DDoS attacks are available as a service in the cybercriminal marketplace for $50 to $7,500 per day.
McAfee Labs estimates that 2.5 million Internet of Things (IoT) devices were infected by Mirai by the end of Q4 2016, with about five IoT device IP addresses added to Mirai botnets each minute at that time.
Q4 2016 Threat Activity
In the fourth quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable trends in cyber-threat growth and cyber-attack incidents across industries:
- Malware growth. The number of new malware samples slowed 17% in Q4, while the overall count grew 24% in 2016 to 638 million samples.
- Mobile malware. The number of new mobile malware samples declined 17% in Q4, while total mobile malware grew 99% in 2016.
- Ransomware growth. The number of new ransomware samples dropped 71% in Q4, mostly due to a drop in generic ransomware detections, as well as a decrease in the activity of the Locky and CryptoWall strains. The number of total ransomware samples grew 88% in 2016
- Mac OS malware. Although still small compared to Windows threats, the number of new Mac OS malware samples grew 245% in Q4 due to adware bundling. Total Mac OS malware grew 744% in 2016.
- Spam botnets. Spam email messages from the top 10 botnets dropped 24% in Q4 to 181 million emails. They generated 934 million spam messages in 2016 overall.
- Reported security incidents. McAfee counted 197 publicly-disclosed security incidents in Q4 and 974 publicly-disclosed security incidents in 2016. Security incidents are events that compromise the integrity, confidentiality, or availability of information assets. Some, but not all, of these incidents are breaches. Breaches are incidents that result in the confirmed disclosure (not just potential exposure) of data.
- Public sector cyber-attacks. The public sector experienced the greatest number of incidents by far, but McAfee believes this may be the result of stricter requirements for reporting incidents, as well as an increase in attacks related to the U.S. election process, mostly voter database incidents and defacing of election websites.
- Banking and gaming attacks. A Q3 jump in incidents in the software development sector was due to the rise in attacks on gaming platforms. In the finance sector, the SWIFT attacks on the banking sector led to a Q2 jump in incidents.
- Botnet activity. The KelihosC botnet, a recent purveyor of phony pharmaceuticals and Russian automotive supplies (such as “winter and summer tires at competitive prices”), increased its overall volume during Q4.
For more information on these trends, or more threat landscape statistics for Q4 2016, visit www.mcafee.com