[nsp-sec] Large mirai-variant - null routing and cleanup requested

Benjamin, Mike Mike.Benjamin at centurylink.com
Wed Dec 6 15:46:42 EST 2017 

If it was lost in Damian's note, LeaseWeb has taken action and you can remove your null routes.



Damian,


To be clear - the owner was contacted before anyone null routed and of course patching and remote filters are preferred. Those should both be inherent to this kind of work.



________________________________
From: Damian Menscher <damian at google.com>
Sent: Wednesday, December 6, 2017 9:29 AM
To: Benjamin, Mike
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] Large mirai-variant - null routing and cleanup requested

I think it's a bit of an overreaction to null-route a C2 IP before even asking the hosting provider nicely.  In this case, Leaseweb has been contacted and has disabled that IP.  So everyone can remove their blocks now.  (Note this may become more of an issue if the C2 moves to bulletproof hosting.)

I also think blocking two ports long-term is best avoided, as it can cause collateral damage to legitimate use.  It seems better to monitor sources and notify the worst-affected ISPs so they can fix their CPE (or implement local blocks if they deem that necessary).

Damian

On Tue, Dec 5, 2017 at 4:52 PM, Benjamin, Mike <Mike.Benjamin at centurylink.com<mailto:Mike.Benjamin at centurylink.com>> wrote:
----------- nsp-security Confidential --------


I'm sure you are all aware of the large attacks that the mirai malware was used to launch in the latter part of 2016.  Since then a few occurrences of large instances have been built, but most have been kept under relative control and then ultimately removed.


Over the last 48 hours the Internet has seen a massive uptick in the growth of an instance that is causing concern.


An overview has been made public by the netlab 360 team here:


http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/


Scanning for the two vulnerabilities in question can be seen through our port usage graphs from 3356 netflow:


[cid:5a8970b9-9ae0-488a-874c-9c642c56407f]        [cid:bc81c943-07c1-4f94-84c8-be22f64a6473]


Through multiple groups working together we've confirmed that a botnet size over 500k nodes may be a reasonable estimate of infected size.  This is obviously not good.


Due to the swift nature this botnet was built and its large size we've decided to pre-emptively null route the C2 hosted at 95.211.123[.]69.  This null route is active in AS3356, 209 and 3549.  We'd encourage any other operators to assist as well.  Multiple groups have requested a takedown of the VM through LeaseWeb, and we're awaiting their assistance to complete the takedown.


This is unfortunately a temporary measure, and we expect the actor will simply stand up new infrastructure and start over.  To ensure they are less effective the next time we are working with our downstream customers (and some of the larger offenders who are not customers) that exhibit the scanning behavior for these ports.  Our goal is to:


1) Work with them to filter the traffic entirely through blocking packets with the SYN flag set towards these ports in both directions at their network edge.  Blocking other tcp flags has a risk of breaking things as these are ephemeral ports and should be avoided where possible.

2) Encourage them to work with their equipment vendors to patch the vulnerabilities in question or at least close these management ports.


For those with the ability to do so, I suggest you take a look at your data to look for customers that may have the same risk open to the Internet.  This can be done by looking for the very loud scanning for TCP port 37215 or 52869 across wide ranges of IP space.  Beware this variant continues to utilize the other well known mirai infection methods, so every device scanning may not actually be vulnerable to the new Huawei exploit or the older Realtek exploit.


If there are any questions please let us know, we appreciate the support with helping to minimize this threat's impact.

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net<mailto:nsp-security at puck.nether.net>
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

More information about the nsp-security mailing list