BrickerBot ‘creator’ claims two million IoT devices have been destroyed

BrickerBot, a piece of malware designed to damage insecure IoT devices so badly that they become useless, has now ‘bricked’ as many as two million devices, according to a shady figure claiming to be the malicious code’s author.

A person going by the nickname of ‘Janitor’ made the claim on a hacker discussion board. According to reports by Bleeping Computer, Janitor is a ‘grey hat’ hacker who says they wanted to do something about the insecure nature of IoT-enabled devices on the market. BrickerBot attacks these devices, overwriting their firmware. For their owners, that means reinstalling original firmware from scratch or complete replacement of the device.

In an email to the website, Janitor defended developing the IoT malware, presenting their work as that of taking compromised devices out of circulation.

“If somebody launched a car or power tool with a safety feature that failed nine times out of ten, it would be pulled off the market immediately,” they write.

“I don’t see why dangerously designed IoT devices should be treated any differently and, after the Internet-breaking attacks of 2016, nobody can seriously argue that the security of these devices isn’t important.”

They added that they hoped “regulatory bodies will do more to penalize careless manufacturers, since market forces can’t fix this problem”.

The malware has led to a security advisory by ICS-CERT on the matter. “BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH, and brute force Telnet,” said the advisory. The malware was originally discovered by researchers at security company Radware.

Read more: Radware discovers Brickerbot, which makes DOS attacks permanent

ICS-CERT has advised companies to audit IoT devices, disable SSH and Telnet access to any devices, and ensure that default passwords are changed. It also said that it would be collating a database of devices that could be affected by the malware “in order to collect product-specific mitigations and compensating controls”.

Edgard Capdevielle, CEO of Nozomi Networks, a company specialising in cyber-security for industrial control systems, told Internet of Business that BrickerBot poses a substantial threat. Were industrial control systems (ICS) components in critical infrastructure to suddenly fail without warning, he said, the wider effects could be significant.

“Industrial automation systems could experience abnormal behavior or event outages. In addition, identifying issues, fixing them, and getting systems back up and running could be lengthy and expensive,” he said.

“Operators should implement the mitigations recommended by ICS -CERT, which includes verifying that their control systems are deployed securely and that no devices have an Internet accessible configuration. In addition, as the US Department of Homeland Security recommends, they should use network behavioral analysis to detect anomalies in traffic and take appropriate action on those anomalies,” he added.

Read more: Malwar! Hajime IoT botnet fights back against Mirai

The post BrickerBot ‘creator’ claims two million IoT devices have been destroyed appeared first on Internet of Business.

Internet of Business

BrickerBot malware will brick unsecure Internet of Things devices

Hacker using laptop. Hacking the Internet.

A new malicious software program targeting Linux-based Internet of Things (IoT) devices, called BrickerBot, has been spotted by cybersecurity vendor Radware.

BrickerBot is similar to Mirai, the destructive malware program that enlists corrupt IoT devices into botnets for denial-of-service (DDoS) attacks. Like Mirai, BrickerBot attacks unsecure devices that have not changed the default username and password.

See also: 5 IoT cybersecurity predictions for the coming year

Once inside the unsecure device, BrickerBot starts to permanently remove the storage and revokes Internet access, effectively killing the unit. This is the major difference between Mirai and BrickerBot; while Mirai uses the corrupt IoT devices, BrickerBot makes them unusable.

It is not known how many devices, if any, have fallen victim to a BrickerBot attack.

The attack does appear to be easy to pull off in theory, as all an attacker would need is remote access to the IoT device. Many of the devices are connected to the Internet through routers that suffer from the same poor authentication and encryption techniques.

Here are a few tips

The firm said it provides five solutions to make avoid a BrickerBot attack:

  • Change the device’s factory default credentials.
  • Disable Telnet access to the device.
  • Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
  • User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
  • An IPS should block Telnet default credentials or reset telnet connections.

It is another sign that IoT devices need at least basic security to avoid catastrophic damage to commercial and industrial devices. Most manufacturers still lack basic encryption and do not teach users how to change the username and password.

The post BrickerBot malware will brick unsecure Internet of Things devices appeared first on ReadWrite.

ReadWrite

Radware discovers Brickerbot, which makes DOS attacks permanent

Radware discovers Brickerbot, which makes DOS attacks permanent

A new threat is targeting insecure IoT devices, but rather than hijack them for use in distributed denial of service (DDoS) attacks, Brickerbot instead threatens to disable – or ‘brick’ – these devices, so that they are left completely inoperable.

So-called ‘permanent denial of service’ (or PDoS) attack bots scour the Internet for vulnerable targets – typically Linux-based routers, bridges or similar Internet-connected devices that require only factory default passwords to grant remote admin access.

Once a suitable target is identified, the bots unleash wave after wave of destructive commands that wipe files stored on the device, corrupt its storage and cut off its Internet connection. In most cases, repairing the device would not be worth the cost and effort involved.

“Also known loosely as ‘phlashing’ in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws of misconfigurations, PDoS can destroy the firmware and/or basic functions of a system,” write security researchers from IT security company Radware, in a threat advisory report published last week.

Read more: EEMBC and Prpl talk up hypervisors for more secure IoT

Setting a honeypot to catch a bug

In order to observe Brickerbot ‘in the wild’, Radware’s security research team set up a number of ‘honeypots’ designed to lure interesting PDoS specimens.

These were successful: over a four-day period in March, the Radware team observed around 2,230 PDoS attempts on devices made available via these honeypots. One honeypot logged 1,895 infection attempts by Brickerbot, with the majority coming from Argentina, and a second logged 333 attempts of untraceable origin, as they came from a Tor node that anonymises web traffic.

The Brickerbot attack used a technique (Telnet brute force) very similar to that used by Mirai to breach devices, according to Radware’s researchers.

“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv’,” they write.

Read more: Security researcher claims to unearth hacker behind IoT Mirai botnet

Looking at the evidence

From the available evidence – the use of a ‘busybox’ command and the types of componentry targeted – it’s clear that the attack is targeted specifically at Linux/Busybox-based IoT devices which have their Telnet port open and exposed publicly on the Internet.

“These are matching the devices targeted by Mirai or related IoT botnets,” the Radware team points out.

That said, there’s no clear answer to the question of why these devices are being attacked in this way. Since Bricker effectively kills a device before it can be used as part of a botnet army to extort money from a targeted company, it’s clear that the motivation is different from that driving DDoS attacks.

As Radware researcher Pascal Geenens puts it, in conversation with Ars Technica: “What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?”

But while this may be malicious, it’s also a possibility, as Ars Technica suggests, that the rash of PDoS attacks is being carried out “by one or more vigilantes who want to take out these devices before they can be conscripted into a powerful DoS army that poses a serious threat to the Internet as we know it.”

Read more: Microsoft’s Project Sopris aims to secure low-cost IoT devices

The post Radware discovers Brickerbot, which makes DOS attacks permanent appeared first on Internet of Business.

Internet of Business