Silex malware targeting IoT devices spotted by security researchers
Silex attacks any Unix-like system with default login credentials
New malware, dubbed Silex, is targeting Internet of Things (IoT) devices in attacks that are expected to intensify over the next week.
Silex was spotted only yesterday by Akamai researcher Larry Cashdollar, who noticed it attacking IoT devices. The malware had already wiped the firmware of more than 2,000 devices in the first few hours since its discovery.
"Silex is targeting pretty much any Unix-like operating system with default login credentials. Doesn't matter if it's an ARM-based DVR or an x64 bit system running Redhat Enterprise, if your login is root:password it could wreck your system," warned Cashdollar in one of a series of tweets.
Cashdollar added that Silex bricks devices by first trashing their storage. It then discards the firewall rules as well as the network configuration before stopping the device entirely.
AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.
"It's using known default credentials for IoT devices to log in and kill the system," Cashdollar told ZDNet. "It's doing this by writing random data from /dev/random to any mounted storage it finds.
"It's targeting any Unix-like system with default login credentials. The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix-like operating system," Cashdollar added.
Without destroying the circuits of IoT devices, the malware can wipe out firmware to stop devices from functioning. While the affected devices can be recovered by manually reinstalling the firmware, for most device owners, that will be too complicated a task.
Although the originating IP address was traced to Iran, Silex was developed by a 14-year-old hacker based in Europe, who calls himself "Light Leafon". NewSky Security researcher Ankit Anubhav made contact with Light Leafon to get an idea of his motive behind it.
Anubhav had earlier contacted Leafon about a month ago when he released HITO, a precursor to Silex, which also targeted IoT devices.
Leafon said that this malware project started as a joke, but it has now turned into a full-time project for him.
Leafon plans to make Silex even more destructive by adding the ability to log into devices via SSH. Silex is currently equipped with Telnet hijacking capability.
Leafon also plans to augment the malware with vulnerabilities capable of infiltrating and taking over targetted devices, just like most IoT botnets operating today.
"It will be reworked to have the original BrickerBot functionality," Light said.
BrickerBot malware swept the internet in 2017, and was said to have temporarily or permanently destroyed more than ten million devices in the process.
BrickerBot remained active between April and December 2017. According to its author Janitor, it was spread as a form of protest against smart devices that, in 2017, were getting infected with the Mirai DDoS malware.
Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.
Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?