DHS's ICS-CERT warns of BrickerBot: IoT malware that will brick vulnerable devices
Since the emergence of Mirai, you may have wondered if your IoT device has ever been infected with malware; you even may have rebooted the device which would remove the infection. But if your IoT device becomes infected with BrickerBot, you will know because the malware will “brick” it. Just the same, some people will believe the hardware failed.
Radware security researchers previously said BrickerBot malware was responsible for permanent denial of service attacks (PDoS) that would “destroy” the infected devices. PDoS, also known as “phlashing,” is “an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, this type of cyberattack can destroy the firmware and/or basic functions of system.”
The two versions of BrickerBot, BrickerBot.1 and BrickerBot.2, use “Telnet brute force - the same exploit vector used by Mirai - to breach a victim’s devices.” BrickerBot.1 quickly dropped off the radar, but the second version, which uses TOR nodes for concealment, did not.
Upon successful access to the device, the Permanent Denial of Service bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.
The discovery of BrickerBot prompted Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to issue an advisory that “‘BrickerBot’ attacks, which exploit hard-coded passwords in IoT devices” as well as “exposed SSH, and brute force Telnet” will “cause a permanent denial of service.”
Yesterday, ICS-CERT updated the advisory with more information, including: “BrickerBot.2 targets Linux-based devices which may or may not run BusyBox and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes. No information is available at this time about the type and number of devices used in performing these attacks.”
In a press release issued on Tuesday, Radware explained, “The attacks are performed remotely using commands that could ultimately corrupt storage, break connectivity and render the device nonfunctional. The attacks specifically target Linux/BusyBox-based IoT devices connected to the internet. The discovered attacks were using the same exploit vector as Mirai, brute forcing their way in through Telnet.”
“We coined it ‘BrickerBot’ because instead of enslaving IoT devices, like Mirai does, it attempts to destroy or ‘brick’ them,” said Pascal Geenens, the Radware researcher who discovered BrickerBot. “Most consumers of such devices might never know they were the victim of malware. Their device would just stop working and the natural inclination is to think its they purchased faulty hardware.”
Radware ran real-world tests by infecting IP cameras with BrickerBot so they would stop working. The researchers determined, “Unfortunately, even after performing the factory reset, the camera was not recovered and hence it was effectively bricked.”
Bleeping Computer believes BrickerBot may be the work of an internet vigilante as it uses the same list of known default credentials targeted by Mirai. But unlike the IoT malware Hajime, which also uses the same list of credentials as Mirai, BrickerBot isn’t trying to secure poorly secured IoT devices. Instead, BrickerBot attacks kill vulnerable devices; that’s one particularly punitive way to stop them from being infected by other IoT malware.
As for mitigation, change the flipping default credentials; update with the latest firmware and disable Telnet access to your IoT devices.
Hajime: White hat's IoT malware improves security
Not that you want your insecure IoT device to be infected by any malware, but if it were then you should hope it was hit with Hajime. Symantec reported, “Once the worm is installed, it does improve the security of the device. It blocks access to ports 23, 7547, 5555, and 5358, which are all ports hosting services known to be exploitable on many IoT devices.”
Marshal Webb, CTO at BackConnect, likened Hajime to “Mirai on steroids.” It communicates over a peer-to-peer network instead of taking commands from a command and control server like Mirai does, conceals its files and running processes. Webb added, “Hajime is much, much more advanced than Mirai. It has a more effective way to do command and control.”
Instead of having DDoS capabilities, Hajime pushes out a cryptographically-signed message every 10 minutes. The message, according to Symantec, states:
Just a white hat, securing some systems.
Important messages will be signed like this!