While some people hate Lizard Squad, others believe that it is simply a function of the times in which we live. While its public distributed denial of service (DDoS) attacks have been derided as lame script kiddie attacks, a look at Lizard Squad’s infrastructure reveals an alarming trend that’s particularly worrying when considering the expansion of the internet of things (IoT).
During the Squad’s activities in late 2014 and early 2015 it used DDoS attacks against the Sony PlayStation Network and Microsoft’s Xbox Live. These attacks prevented millions of users from accessing online services. While Lizard Squad’s attacks were focused on internet-based gaming services, the tools used to build its capability were nefarious, with much wider potential applications.
The DDoS attacks were part of a marketing campaign for the Squad’s new commercial offering – the ‘Lizard Stresser’ DDoS-as-a-service tool, quoted as having 60tbps of bandwidth. Putting that into context, that’s the equivalent of streaming 7500 hours of Netflix video in a single second. That’s not an idle boast, if you consider that the DDoS’d Xbox Live network was quoted by Microsoft in 2013 as having 30,000 systems online to support gamers.
However, the real longer term threat to the likes of the IoT and SMEs is that a significant chunk of Lizard Squad’s bandwidth was obtained from compromised home/SOHO routers. These home devices, owned by an increasingly tech-dependent but tech-ignorant population were still using default and easy to guess passwords (admin/admin, admin/blank, admin/password) and by compromising these devices the Squad was able to install a modified piece of backdoor/bot malware providing the asymmetric amplification of the attack.
By targeting an online service on Christmas day, during which time millions of gamers would be seeking to activate, update and install new games and consoles, the Squad again amplified the outcome.
Worryingly, despite the fact that Stresser is offline, there are still thousands of home routers that have the bot/malware installed. The owners of these routers no longer have a trusted network; their internet traffic is open to interception, blocking and even redirection (by DNS manipulation). Everything they do, from home shopping, gaming, banking and even working from home is subject to analysis and interception. Until the router malware is removed, Lizard Squad could easily redirect users to malicious sites where malware can be injected to legitimate traffic or user credentials harvested using techniques like SSL stripping.
"Individuals and companies need to plan for the day when the hidden cyber-war spills over into full public view"
So, what have we learnt from this? That a small group of vocal hackers, with cloned and buggy code were able to compromise thousands of home routers and install backdoors and malware to form a large botnet capable of delivering devastating volumes of data against a target of its choice. But what if they weren’t vocal, or writing buggy code?
The term cyber-warfare is often used when referring to computer attacks leveraged by many countries. However, to most citizens it is an almost totally hidden war. Citizens’ everyday activities are rarely affected; email gets delivered, web pages load and customers can still shop or bank online. But what if that changed? What if a skilled or well-funded, state sponsored hacking group, like the often quoted advanced persistent threat (APT) groups turned their attention from stealth malware infections to overt cyber-war via DDoS?
Imagine if it was more than just internet services that were subject to these types of DDoS attacks; think of the potential catastrophic effect it could have if it was directed at power or water companies, or even the company that moves vehicle fuel around the country to customers.
Individuals and companies need to plan for the day when the hidden cyber-war spills over into full public view. Part of the solution is to not be part of the problem. Check that all routers have the latest firmware and are using the correct configuration set; if there is any doubt about the device’s integrity force a firmware update, having downloaded the firmware files from the vendor and via a different network. Ensure the DNS settings are correct and that the device has been hardened if internet facing; the National Institute of Standards and Technology (NIST) has some excellent guides for most OSs, routers and applications.
About the Author
Steve began working in the security arena in 1994 whilst serving in the UK Royal Air Force. He specialized in the technical aspects of IT security from 1997 onward, and before retiring from active duty, he lead the RAF's penetration and TEMPEST testing teams. He founded Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and both music and film labels worldwide. When not teaching for SANS, Steve provides penetration testing and incident response services for some of the biggest household names in gaming and music media. To relax Steve enjoys playing Battlefield to loud music and developing collaborative DFIR tools.