Variant of Mirai botnet used to target financial sector in January
Researchers at Recorded Future believe that a Mirai botnet variant, possibly linked to the IoTroop or Reaper botnet, was utilized in attacks on at least one company, and probably more, in the financial sector in late January of this year.
The botnet targeted one company using at least 13,000 devices, each with a unique IP address, and generated traffic volumes up to 30Gb/s.
Recorded Future's Insikt Group of researchers found the attack was 80 percent comprised of compromised MikroTik routers, with the remaining 20 percent composed of various IoT devices including other routers, webcams, TVs, and DVRs.
The report's authors note that, "The spread of devices from different manufacturers suggests a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices."
They point out that these attacks highlight the ongoing threat of DDoS to the financial sector from continuously evolving botnets. The similarity in device composition with the IoTroop/Reaper botnet suggest that IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector.
Recorded Future recommends that IoT device owners take some simple measures to mitigate the risk of their devices being commandeered by an IoT botnet. These include always replacing default manufacturer passwords immediately on use, keeping the firmware for devices current and up to date, using a VPN for devices like IP cameras that require remote access, and disabling unnecessary services (such as Telnet) and closing ports that are not required for the IoT device.
You can read more details of the attack on the Recorded Future blog.