Creativity.Innovation.Life

Breaking

Tuesday, 11 April 2017

BrickerBot malware threatens to brick insecure IoT devices

Command sequence of BrickerBot.1



A NEW THREAT called 'BrickerBot' is targeting insecure Internet of Things (IoT) devices, but rather than harnessing them to a distributed denial of service (DDoS) network, it threatens to permanently brick them instead.

The malware has been detected on honeypot servers maintained by DDoS protection company Radware. It describes the type of attack as a "permanent denial-of-service" (PDoS)

"Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage," warned the company in a Threat Advisory.

The company claims to have picked up two distinct, different waves of what it has called BrickerBot from different bot-nets. The second, it claims, was concealed by Tor egress nodes. 

"The BrickerBot PDoS attack used Telnet brute force - the same exploit vector used by Mirai - to breach a victim's devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv'," warned the company.

IoT devices with hard-wired credentials, there are some, could therefore quickly be rendered useless by such a targeted attack.

"Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device…

"Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium).



"The sysctl commands attempt to reconfigure kernel parameters: net.ipv4.tcp_timestamps=0 disables TCP timestamps, which does not affect local LAN IPv4 connectivity, but seriously impacts the internet communication, and kernel.threads-max=1 limits the max number of kernel threads to one."

The researchers suggest that the version of BrickerBot they have picked up is targeted at Linux/BusyBox IoT devices that have their Telnet ports open and publicly exposed to the internet - the same as the devices targeted by Mirai.

The authors of BrickerBot, and the people behind the wave of attacks picked up by Radware, are currently unknown. It may be malicious in intent, but equally, it could be intended to take known vulnerable devices offline so that they pose no threat in future. µ

No comments:

Post a Comment