BrickerBot: IoT Malware

It has been reported that the malware named as "BrickerBot"/ "BrickBot" is spreading widely. The malware mainly targets the Internet of Things (IoT) devices. It is believed that this malware is an advancement over to the existing variants of the Mirai malware. The malware is capable of creating botnet and exploits hard coded passwords in IoT devices in order to launch permanent DoS attacks. The malware scans for devices with open telnet ports and once found it performs telnet brute force attack to exploit hardcoded password.

The malware is capable of performing the following functions:

• Exploits hardcoded passwords in IoT devices and corrupt their storage.
• Capable of targeting the hardware which leads to hardware-damage.
• It disrupt internet connectivity, affects device performance, wipe files on the compromised device.
• Performs telnet brute force attackon exposed telnet terminals.
• Device targeted includes specially devices such as "/dev/mtd" (Memory Technology Device) and "/dev/mmc" (Multimedia card device).
• Targets devices with open port 22 and old versions of dropbear SSH.

The malware operates in two versions namely, brickerBot1 and BrickerBot2.Details are given below:

BrickerBot 1:

It targets devices which are:

• Running BusyBox with an exposed Telnet command window.
• Running older versions of Dropbear SSH server leading to SSH exposure (port 22).
• Running outdated firmware specially Ubiquiti Network Devices. Note: According to radware, BrickerBot1 attacks have been ceased.

BrickerBot 2:

It targets devices which are:

• Linux-based devices which may or may not running BusyBox.
• Such devices are using default/hardcoded password along with exposed telnet service.
• Make use of TOR exit nodes.

Attack Methodology:

• Perform Telnet bruteforce attack on the discovered devices with open telnet ports.
• Upon successful access to the device, the malware executes series of Linux commands to corrupt storage, disrupt internet connectivity, affect device performance, wipe files on the compromised device. These commands also lead to the launch of the PDoS attacks on the compromised devices.

Note: Unlike Mirai, this malware does not make use of any binaries so the complete list of default credentials used by the attacker is not available, some of the default credentials used for brute force attack are "root"/ "vizxv", "root/root".

Countermeasures:

• Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords.
• Always change Default login credentials before deployment in production.
• Disable Telnet access to the device.
• Change default credentials at device startup and ensure that passwords meet the minimum complexity.
• Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
• Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
• Control access to the devices with Access List.
• Configure devices to "lock" or log out and require a user to re-authenticate if left unattended.
• Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces.
• Implement account lockout policies to reduce the risk of brute forcing attacks.
• Telnet and SSH should be disabled on device if there is no requirement of remote management.
• Configure VPN and SSH to access device if remote access is required.
• Configure certificate based authentication for telnet client for remote management of devices.
• Implement Egress and Ingress filtering at router level.
• Report suspicious entries in Routers to your Internet Service Provider.
• Keep up to date Antivirus on the computer system.
• Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
• Unnecessary port and services should be stopped and closed.
• Logging must be enabled on the device to log all the activities.
• Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

Countermeasure for preventing DDoS attacks:

• Identify critical services and their priority. Develop Business Continuity Plan.
• Deploy appropriate Intrusion/DDoS Prevention System capable of detecting and mitigating DDoS attacks.
• Ensure that Intrusion/DDoS Prevention System contain signatures to detect the attacks launched from common DDoS tools.
• Maintain list of contacts of ISPs, vendors of network and security devices and contact them as appropriate.
• Understand your current environment, and have a baseline of the daily volume, type, and performance of network traffic.
• Review the traffic patterns and logs of perimeter devices to detect anomalies in traffic, network level floods (TCP,UDP, SYN, etc) and application floods (HTTP GET).
• Maintain and regularly examine logs of webservers to detect malformed requests/traffic.
• In case your SLA with ISP includes DDoS mitigation services instruct your staff about the requirements to be sent to ISP.

References

• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A
• https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
• https://www.theregister.co.uk/2017/04/08/brickerbot_malware_kills_iot_devices/
• https://antivirus.comodo.com/blog/computer-safety/iot-malware-wipes-data-infected-devices/
• https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/brickerbot-malware-permanently-bricks-iot-devices