Author of record-setting IoT botnets pleads guilty
A 21-year-old has pleaded guilty to operating the Satori botnet – made up of Internet of Things (IoT) devices – and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.
Satori did massive damage: it and its iterations would be unleashed in record-setting distributed denial-of-service (DDoS) attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.
The guilty plea was filed on behalf of Kenneth Currin Schuchman, from Vancouver, Wash., on Tuesday in federal court in Anchorage, Alaska. He was indicted a year ago on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one of them.
Schuchman admitted that he and two co-conspirators – “Vamp” and “Drake,” both of whom are known by the law – operated the botnets Satori, Masuta and Okiru. Over time, they nurtured those botnets, fattening them on more and more devices to make them ever-more powerful and complex.
The co-conspirators used their botnets to launch attacks, but their primary goal was to make money from renting them out.
These DDoS-for-hire services can be purchased from so-called “booter” websites.
Such websites sell high-bandwidth internet attack services under the guise of “stress testing.” One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service …an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.
Of the trio, Schuchman specialized in finding vulnerabilities in IoT devices that could be exploited at scale. “Specialize” might be a bit too fancy a term: “run an online search” might be more like it. According to the plea agreement, the vulnerabilities often included default usernames and passwords, for example.
They’re all too easy to find, since researchers have found that the manufacturers of off-the-shelf IoT gadgets often post default passwords online in order to aid in quick device setup.
Using such default credential pairs, Schuchman and his buddies managed to compromise not only individual devices but entire categories of devices that shared the same vulnerability, as the plea agreement described.
From at least July 2017 until at least July 2018, Schuchman and his co-conspirators, who aren’t named in the indictment, rented out access to an evolving series of DDoS botnets. They were initially based on source code from Mirai – the botnet that was the subject of Schuchman’s previous prosecution in Alaska and which, in 2016, targeted security journalist Brian Krebs in what experts said at the time was the biggest DDoS attack in public internet history.
Over the course of that year, Vamp was the primary developer and coder, while Drake managed sales and customer support. Schuchman, besides researching new vulnerabilities, also helped out with botnet development.
In August 2018, the trio named one of their botnets Satori. That one built on Mirai by targeting devices with Telnet vulnerabilities. It also used an improved scanning system that was borrowed from another DDoS botnet, Remaiten. Mirai would go on to compromise 100,000 devices. The conspirators unleashed this version of Satori on a range of victims in the US, including a large ISP, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation.
At the same time, Schuchman bragged about compromising another 32,000 devices belonging to a large Canadian ISP. He used the added might of those devices to attack targets with bandwidth of about 1TB per second. He also bragged about causing a dramatic increase to internet latency on a national level with a test attack.
In September or October 2017, the trio, along with other co-conspirators, made yet more improvements to Satori, which they rechristened “Okiru.” They used Okiru to compromise vulnerable devices, including exploiting flaws in customized versions of GoAhead web servers embedded in wireless surveillance cameras.
The next botnet version, which arrived in November 2017, was dubbed Masuta. It targeted vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices. That one infected up to 700,000 compromised nodes.