Full Report
The rent-a-DDoS service that knocked out Xbox Live and Playstation Network is powered by thousands of hacked residential internet routers.
Analysis Summary
# Incident Report: Lizard Squad DDoS Service Powered by Hacked Routers
## Executive Summary
A cybercrime group, Lizard Squad, leveraged a large botnet composed of thousands of compromised residential and commercial internet routers to offer "rent-a-DDoS" commercial services. The incident gained notoriety after the group used this infrastructure to target and successfully take down major gaming networks like Xbox Live and PlayStation Network as a form of promotion for their paid attack service.
## Incident Details
- **Discovery Date:** January 13, 2015 (Public reporting based on investigation by Brian Krebs)
- **Incident Date:** Attacks occurred around Christmas 2014 and ongoing, with reporting in early January 2015.
- **Affected Organization:** Multiple organizations globally, including Xbox Live, PlayStation Network, commercial companies, and universities.
- **Sector:** Gaming, Technology, Internet Service Providers (via compromised routers).
- **Geography:** Global (involving home routers around the globe).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to December 2014, ongoing.
- **Vector:** Exploitation of default/factory credentials on residential and commercial internet routers.
- **Details:** Attackers scanned the internet for routers accessible via Telnet that were protected only by standard usernames and passwords (e.g., 'admin/admin', 'root/12345').
### Lateral Movement
- **Details:** Infected routers were repurposed as "stresser bots." The malware on an infected system actively scanned the internet for *other* susceptible routers to recruit into the botnet, ensuring the botnet continued to grow.
### Data Exfiltration/Impact
- **Impact:** The controlled botnet was used to launch powerful Distributed Denial of Service (DDoS) attacks against targeted high-profile services (Xbox Live, PSN) and customers who paid for the "rent-a-DDoS" service.
- **Data/System Impact:** Operational disruption due to overwhelming traffic saturation.
### Detection & Response
- **How it was discovered:** Security journalist Brian Krebs publicly reported on the infrastructure sourcing of the Lizard Squad's DDoS attacks, revealing the reliance on insecure home routers.
- **Response actions taken:** The article provided guidance to the public on how to secure their own routers against inclusion in such botnets (e.g., changing default passwords).
## Attack Methodology
- **Initial Access:** Brute-forcing or exploiting routers using factory-default credentials accessible via Telnet.
- **Persistence:** Infected routers became persistent attack nodes (bots) within the Lizard Squad's botnet infrastructure.
- **Privilege Escalation:** Not explicitly detailed, but initial access leveraged weak configuration (default credentials) rather than true elevation from a standard user account.
- **Defense Evasion:** Attacks were launched externally using the compromised network bandwidth, making tracing back to the primary attacker difficult initially.
- **Credential Access:** Gained router administration credentials via well-known default settings.
- **Discovery:** Automated scanning of the internet for devices accepting incoming connections via Telnet with default passwords.
- **Lateral Movement:** Infected systems were used to scan for and infect new, vulnerable routers.
- **Collection:** Primarily focused on collecting network bandwidth/processing power from compromised devices, not proprietary user data.
- **Exfiltration:** N/A (The goal was denial of service, not data theft).
- **Impact:** High-volume traffic overwhelming target servers, leading to outages.
## Impact Assessment
- **Financial:** Not explicitly quantified, but significant downtime for attacked services (Xbox Live, PSN). Revenue loss for victims due to unavailability.
- **Data Breach:** No evidence of sensitive user data exfiltration from targeted organizations was reported in this summary.
- **Operational:** Major outages reported for major gaming platforms during the holiday season.
- **Reputational:** Significant reputational damage to Lizard Squad who used the attacks for promotion; general public awareness increased regarding IoT/router security.
## Indicators of Compromise
*Note: Specific indicators are not provided as the article focuses on the *method* of compromise (default credentials) rather than specific malware signatures.*
- **Network indicators:** High volume of DNS/NTP/UDP traffic originating from numerous geographically distributed residential IP addresses targeting a single victim (DDoS signature).
- **File indicators:** N/A (Focus on firmware/configuration compromise).
- **Behavioral indicators:** Routers attempting to scan other internet devices via Telnet ports using common default credentials.
## Response Actions
- **Containment measures:** Victims implemented mitigation techniques to filter malicious DDoS traffic.
- **Eradication steps:** The primary defense mechanism described was for *users* of routers to change default passwords to invalidate the botnet's source.
- **Recovery actions:** Restoring service availability after mitigating the flood of attack traffic.
## Lessons Learned
- **Key takeaways:** Default credentials on insecure IoT/network devices (routers) represent a massive, easily exploitably attack surface.
- **What could have been done better:** Equipment manufacturers and ISPs should enforce stronger initial setup requirements to prevent the installation of botnet members via default passwords.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately change all default usernames and passwords on every router, modem, and IoT device.
2. Disable Telnet access on devices if possible, favoring secure protocols like SSH.
3. Ensure router firmware is updated to patch known vulnerabilities.
4. Disable remote management features unless absolutely necessary.