BrickerBot malware zeroes in on Linux-based IoT devices

In its 2017 malware forecast, SophosLabs warned that attackers would increasingly target devices connected to the Internet of Things (IoT) – everything from webcams to internet-connecting household appliances. Late last week, we saw another example of how the trend is playing out.

Security vendor Radware warned that malware called BrickerBot is in the wild, designed to brick IoT devices by damaging their storage capability and scrambling kernel parameters. The company detected two versions of the malware in its honeypot servers – BrickerBot.1 and BrickerBot.2. The first attacks were detected March 20, targeting Linux-based IoT devices running the BusyBox toolkit. The honeypot recorded 1,895 PDoS (Permanent Denial of Service) attempts by BrickerBot from several locations around the world over four days.

To block the attack, Radware recommended users:

• Change the device’s factory default credentials.
• Disable Telnet access to the device.
• Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
• User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
• An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

The rising tide of IoT threats

Such IoT threats are something SophosLabs has warned about for the last several months. IoT threats had been discussed for years in largely theoretical terms, but the theoretical turned into reality last October when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

The rise of IoT attacks led SophosLab’s 2017 malware forecast, and BrickerBot’s taste for Linux-based devices is consistent with the report’s findings.

The frequency and complexity of Linux malware rose throughout 2016. One malware sample described in the report was built to evade AV detection with consistent static updates, encrypted/obfuscated strings and even some rudimentary UPX packer hacking.

SophosLabs noticed one family that was far more active than any of the others – Linux/ DDoS-BI, also known as Gayfgt – which spread by simply scanning over large IP blocks attempting to bruteforce SSH. It targeted low-hanging fruit such as any device that has a factory/default password. (Note how in the defensive measures for BrickerBot above, the first recommendation is to change the factory-set password.)

Governments are worried

The IoT threat has steadily moved up the list of concerns among government bodies. Last month, Britain’s National Cyber Security Centre (NCSC), which opened last month, joined with the National Crime Agency in the UK to warn people about Internet of Things devices.

In the US, the worries prompted the Federal Trade Commission (FTC) to launch a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software in IoT devices. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords. The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s).

Winners will be announced on or about July 27. The submission deadline is May 22 at noon eastern time.