Silex IoT Malware

Original Issue Date:- July 03, 2019

Virus Type:- Trojan

Severity:- High

It has been reported that a new malware named as “Silex” targeting IoT devices is spreading. The malware is capable of trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device. The attacker gains access to the targeted device using default credentials of the targeted devices. The malware is capable of performing the following functions:

Writes random data from /dev/random to any mounted storage it finds.
Check for partitions using the command “fdisk –l” and then writes random data from /dev/random to any discovered partitions.
Deletes network configurations and iptable entries even the one that DROPS all connections.
Halts and reboot the compromised devices.
Targeted devices can be recovered only by manually reinstalling the firmware of the affected device.

The malware has routines to target Unix-Like operating systems with open telnet ports or servers running with poor or default login credentials. It has also been reported that the IP address used for targeting devices belongs to Iran and has been already blacklisted in URLhaus.

Countermeasures for securing IoT devices:

Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
Always change Default login credentials before deployment in production.
Change default credentials at device startup and ensure that passwords meet the minimum complexity.
Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
Control access to the devices with Access List
Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
Implement account lockout policies to reduce the risk of brute forcing attacks.
Telnet and SSH should be disabled on device if there is no requirement of remote management
Configure VPN and SSH to access device if remote access is required.
Configure certificate based authentication for telnet client for remote management of devices
Implement Egress and Ingress filtering at router level.
Report suspicious entries in Routers to your Internet Service Provider
Keep up to date Antivirus on the computer system
Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
Unnecessary port and services should be stopped and closed.
Logging must be enabled on the device to log all the activities.
Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.

References: