Once again, important New Zealand organisations have been caught out being vulnerable to attacks at a particularly inopportune time, during the long Covid-19 Delta lockdown.
Distributed denial of service attacks (DDoS) have caused angst and anger with users checking for deliveries, working from home and trying to pay bills.
We might never learn who is behind them, but a Russian security vendor that specialises in DDoS defences and one of its customers, large internet provider Yandex, reckon they have some clues as to where the attacks against New Zealand networks come from.
Yandex and Qrator said they had successfully prevented several large DDoS attacks, the largest of which reached almost 22 million requests per second. That might not mean much to non-techies, but a web server farm trying to fulfill that many requests, especially over encrypted HTTPS connections, might have buckled.
The two Russian companies estimate that around 200,000 devices worldwide are part of the Meris botnet. Meris means "plague" in Latvian, a very cool cyber name for the threat.
It is somewhat ironic to get a heads-up on NZ attacks from Russia which as a nation has a rather sullied cyber security image. In this case it could actually be for real.
Smaller and wireless internet providers around the world and New Zealand included will be familiar with a popular Latvian device vendor called Mikrotik.
Mikrotik's support staff have confirmed that some of their devices are being used in attacks by the Meris botnet. Not because of a new vulnerability, but an older one that leaked a default username and password and which as per above was left unpatched in many, many cases.
Once inside an unpatched Mikrotik device, attackers will enjoy a capable network computer often attached to a high-speed network with a wired connection.
"Moreover, all those being highly capable devices, not your typical IoT blinker connected to WiFi", as Qrator wrote. (IoT stands for Internet of Things, and could be your Wifi enabled fridge for example.)
A complicating factor sorting out the DDoS mess is that Mikrotiks are sold in large volumes all over the world. The company doesn't always know who bought what and can't contact internet providers to tell them to patch the devices.
An attack won't succeed simply by unleashing a huge volume of data against some target; more thought is required as to where to direct the floods and how to construct them for best effect to show that the criminals are serious about their extortion attempts.
Otherwise, the only thing that'll happen is that tech journalists will get yet another release from a security vendor bragging about how they staved off a giant DDoS for their customers.
Whether or not the Meris botnet is behind a spate of attacks I heard about last week is unclear, but they were conducted in a tricky fashion that shows how difficult it can be to defend networks.
A certain large organisation that most of us are familiar with had the internet protocol addresses of its external network forged, or spoofed, into data packets. The data packets were then used to flood New Zealand internet providers' networks.
Some providers simply black-holed the excessive data traffic which meant that their subscribers could not get to the large organisation in question, in effect creating a crude denial of service attack.
This was effective because the spoofed IP address range was the one that the large organisation has placed a domain name server in. That meant users who typed in an address in their browsers were presented with "not found" pages, because the server that normally responds with the location where the content sought is was black-holed by providers.
Apparently the attacks even caused problems at the end-user level, as subscriber routers consumed excessive resources as people tried to get to the large organisation which is very popular at the moment thanks to the pandemic, and crashed and rebooted. If that's true, then that's quite spectacular collateral damage by the attack.
Where there's a way to do bad things, the internet will make it possible in some unexpected way.
It is important to note that the large organisation in question could have done a number of things to prevent the attacks. While it's understandable that nobody wants to touch production networks that work in a level 4 lockdown, it's crucial that they don't remain vulnerable to attacks like the above.
We are literally dependent on having robust, working internet connections for our economy, education, healthcare and receiving news and important information. Criminals are fully aware of this, and organisations can rest assured that they are out there on the internet mapping out the local network topology, looking for weaknesses and misconfigurations to exploit as part of their business.
When they find the soft spots, which are usually there because of neglect that nobody bothered to remedy, they clearly have enormous resources in terms of devices and network capacity to bring to bear on victims.
Having to defend against preventable attacks in a lockdown when people need your organisation's internet-delivered services the most is completely the wrong time to do it.