U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Brickerbot botnet, the thingbot that permanently destroys IoT devices

Security researchers have spotted a new threat dubbed Brickerbot botnet that causes permanent damage to Internet of Things (IoT) devices. Months ago we anticipated the possible spike in the number of IoT botnets, at the beginning it was Mirai, but later other dangerous thingbot appeared in the wild such as the Leet Botnet and the Amnesia botnet. Now a […]

Brickerbot botnet, the thingbot that permanently destroys IoT devices

Security researchers have spotted a new threat dubbed Brickerbot botnet that causes permanent damage to Internet of Things (IoT) devices.

Months ago we anticipated the possible spike in the number of IoT botnets, at the beginning it was Mirai, but later other dangerous thingbot appeared in the wild such as the Leet Botnet and the Amnesia botnet.

Now a new botnet, dubbed Brickerbot, appeared in the threat landscape, it was spotted by researchers at Radware that have found many similarities with the dreaded Mirai botnet.

The main difference with Mirai botnet is that this threat permanently destroys poorly configured IoT devices.
The Brickerbot botnet was discovered on March 20 when researchers at Radware observed attacks against one of its honeypots.

“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage.”reads the analysis shared by Radware. “Besides this intense, short-lived bot (BrickerBot.1), Radware’s honeypot recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.”

The honeypot logged 1,895 infection attempts by Brickerbot botnet in just four days, most of the attacks were originated from Argentina, while 333 attempts came from a Tor node.

The Brickerbot botnet leverages on Telnet brute force to compromise an IoT device, a technique like the Mirai’s one.

The Bricker does not try to download a binary, this means that experts from Radware were not able to retrieve the complete list of credentials used by the bot brute force attempts, the researchers were only able to record that the first attempted username/password pair was ‘root’/’vizxv.’

“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.'” continues the advisory.

The malicious code targets Linux-based IoT devices running the BusyBox toolkit which have their Telnet port open and exposed on the Internet.

The PDoS attempt attacks s originated from a limited number of IP addresses, the IoT devices are exposing the port 22 (SSH) and running an older version of the Dropbear SSH server. The vast majority of the devices was identified by Shodan as Ubiquiti network devices.

Brickerbot botnet

Once the malware has infected the device it starts scrambling the onboard memory using rm -rf /* and disabling TCP timestamps. It also limits the max number of kernel threads to one.

brickerbot botnet

Brickerbot malware also flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. It tries to wipe all code on the vulnerable IoT making them unusable.

Experts at Radware provided the following suggestions to protect IoT Devices:

  • Change the device’s factory default credentials.
  • Disable Telnet access to the device.
  • Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
  • User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
  • An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Brickerbot botnet, IoT)