Lizard Squad turn CCTV Cameras into massive botnets to launch massive DDoS attacks
Hackers are turning the huge network of CCTV cameras installed worldwide into DDoS botnets which conduct DDoS attacks on banks, gaming firms and government agencies. The CCTV camera botnet uses a open source code LizardStresser, written by PlayStation DDoS fame hackers, Lizard Squad.
The network of compromised cameras was uncovered by researchers at security firm Arbor Networks, who reported that large scale distributed denial of service (DDoS) attacks took down websites by flooding them with traffic.
Arbor Networks’ ASERT group has found the number of command-and-control servers unique to LizardStresser has increased during 2016 with cyber-criminals managing to break into IoT devices primarily by using the unit’s default password. This has enabled these gangs to assemble huge botnet armies capable of launching massive attacks.
According to Arbor Networks, the botnet has been assembled by the notorious hacker collective called Lizard Squad. Lizard Squad gained infamy and brickbats from gamers for taking down the Xbox Live and Playstation gaming networks during the Christmas weekend of 2014 using its LizardStresser DDoS tool.
The number of botnets based on LizardStresser has been steadily growing recently, hitting the 100 unique command-and-control (C2) server milestone in June 2016, with a number of them specifically targeting IoT devices, according to research by Arbor Networks. In a blog post, Matthew Bing, a research analyst at Arbor Networks, said: “LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal research into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets.”
He added: “Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.”
Lizard Squad released Lizard Stresser as a rent-a-tool for wannabe hackers in 2015. It also open sourced the DDoS maker’s code in 2015 with the express purpose of enabling such DDoS attack.
Now this Lizard Stresser is used to create a massive swarm of botnets using CCTV cameras poor security and DDoS these attacks are mostly directed against banks says Arbor.
Poor security in Internet of Things has been blamed for many cyber ills. Many security experts say that the fault often lies with the devices’ manufacturers, who too often consider the security of a product as an afterthought.