Satori malware code made public by hackers

Satori malware code made public by hackers

Researchers warn that now that it has been made public, the Satori malware code could be used in new botnets.

Code used in the Satori malware (a varient of the IoT malware Mirai) has been made public. Ankit Anubhav, principal researcher at IT firm NewSky Security, found the code available free of charge on over Christmas.

In a blog post, he said this exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot. The malware has been used to attack thousands of IoT devices including Huawei routers. 

According to security researchers, there is now a risk that the code will be used by criminals to recruit IoT devices into a botnet to carry out DDoS attacks. 

Read more: BrickerBot creator Janit0r ‘retires’ after bricking over 10 million IoT devices

Malware fix

He added that CVE-2017–17215, a vulnerability in Huawei HG532 devices, was discovered during a zero-day Satori attack by Checkpoint and was discreetly reported to Huawei for a fix. 

“The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters,” he said. 

“An authenticated attacker could send malicious packets to port 37215 to launch attacks,” Huawei said in its security advisory. “Successful exploit could lead to the remote execution of arbitrary code.” 

Check Point said that the vulnerability is connected to Huawei’s implementation of the Universal Plug and Play (UPnP) protocol via the TR-064 technical report standard. This flaw enabled remote attackers to inject arbitrary commands, which hackers used to create the Satori botnet.  

“IoT attacks are becoming modular day by day. When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code,” said Anubhav. 

Read more: Malware makes the Internet a “torture chamber” for DVR devices 

The post Satori malware code made public by hackers appeared first on Internet of Business.

Internet of Business

Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To ‘BlueBorne’ Malware Attack

Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To 'BlueBorne' Malware Attack
A newly-discovered vulnerability is leaving over 5 billion IoT devices open to a Bluetooth cyber-attack dubbed “BlueBorne,” according to IoT enterprise security company Armis – meaning that hackers could take over the devices, spread malware, or gain access to critical data and networks.

Steve Brumer, partner at 151 Advisors, comments:

“The vast majority of security compromises are due to devices that have identified vulnerabilities with patches available, but they have not been updated. Currently, there is no checklist or approval process to indicate that a device meets such standards. Every restaurant has a rating of 0 – 100 at the front door, but home cameras don’t have a rating system that indicates if a device is future proof for security threats. Can it receive OTA updates? Can the device check for patches every week? Who is ultimately responsible for updating the device?”

“The most secure device would look for new patches every day and the burden to update the device would be on the manufacturer. A less secure device would require the end user to check for patches and manually update the device, which in reality would never happen.”

“If you ask most consumers who is responsible for updating the software on their home cameras, those in the tech industry will not know and those who are not tech savvy may reply ‘What? There is software in the camera?’”

151 Advisors is a global advisory and execution firm specializing in Mobility, Internet of Things (IoT), Smart Cities, security, and cloud-based technologies. It provides technology companies with a combination of advisory and execution services to ensure companies are focused on the right markets, establishing new market positions and accelerating the growth of its products and services.

The post Bluetooth Vulnerability Leaves 5 Billion IoT Devices Open To ‘BlueBorne’ Malware Attack appeared first on IoT Business News.

IoT Business News

Security researchers warn of ‘airborne’ IoT malware, Blueborne

Security researchers warn of 'airborne' IoT malware, Blueborne

Billions of Bluetooth devices could be affected by Blueborne malware, say researchers. 

Security researchers at Armis Labs have discovered a number of Bluetooth vulnerabilities that could affect millions of IoT devices around the world.

More specifically, any device that uses Bluetooth connectivity – from smartphones to medical devices – could become the target of an attack vector that the researchers have named ‘BlueBorne’. In a blog post, they said the malware can “spread through the air and attack devices via Bluetooth.”

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware laterally to adjacent devices,” said researchers.

Read more: Mesh networking comes to Bluetooth

Eight vulnerabilities so far

Researchers said the attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. It has so far identified eight zero-day vulnerabilities so far, which, it said, indicate the existence and potential of the attack vector. It also said that many more vulnerabilities await discovery in the various platforms using Bluetooth

“These vulnerabilities are fully operational and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offences, including remote code execution as well as man-in-the-middle attacks,” they said.

The Armis researchers added that BlueBorne can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today.

Read more: Smart city of Aarhus uses Bluetooth sensors to improve traffic flows

Spread through the air

Researchers said they were concerned about the attack because of the medium its operates in.

“Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus.

“The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than Wi-Fi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.”

The company said that flaws that can spread over the air and between devices pose a tremendous threat to any organization or individual.

“Current security measures, including endpoint protection, mobile data management, firewalls, and network security solution are not designed to identify these type of attacks, and related vulnerabilities and exploits, as their main focus is to block attacks that can spread via IP connections,” said researchers.

“New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike.”

Read more: Bluetooth 5 launches with emphasis on IoT

The post Security researchers warn of ‘airborne’ IoT malware, Blueborne appeared first on Internet of Business.

Internet of Business

Malware makes the Internet a “torture chamber” for DVR devices 

Malware makes Internet a torture chamber for DVR devices

SANS Technology Institute researcher shows that a DVR with default settings can be compromised within minutes of going online.

Despite the Mirai botnet bringing into focus the need for better security in IoT devices, many can still be hacked in under two minutes, according to security researchers.

In an experiment carried out by Johannes Ullrich, dean of Research at SANS Technology Institute, an Anran DVR system he bought and left connected to the internet was hacked in a matter of minutes.

Ullrich left the device in its default state, with its network ports open, and able to accept ‘root’ logins with the well-known password ‘xc3511’. He said that many worms infecting these devices will disable telnet after a successful infection, to prevent others from exploiting the weak credentials. To allow for continuous infections, he connected his DVR to a remote-controlled power outlet, and power cycled it once every five minutes. He also logged all traffic to and from the DVR.

In examining the logs over two days, he found that the system was compromised by someone or something logging in using the correct credentials every two minutes.

Experiment set-up SANS Technology Institute

Experiment set-up (Credit: SANS Technology Institute)

Read more: Amnesia malware turns DVRs into botnet slaves

DVR dangers come from “usual suspects”

Of the 1,254 attacking IP addresses logged over 45 hours and 42 minutes, IoT search engine Shodan had information for 592 of them. Ullirch said that the logs revealed that the “usual suspects” among the attackers. Most of the IPs of logins could be traced back to IoT devices from TP-Link, AvTech, Synology, and D-Link.

“While I am calling the activity ‘Mirai’, dozens of variants hit the DVR. The geographic distribution of these systems matches what we saw early on with Mirai, only counting the hosts that had Shodan information,” he said.

The demonstration showed that the issue hasn’t been dealt with properly by IoT vendors and Ullrich added that the problem “isn’t going away anytime soon.”

“If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read this article either. Variants like ‘Brickerbot’, which supposedly attempted to break vulnerable devices, are ineffective because most of these devices cannot be ‘bricked’ by overwriting a disk with ‘dd’,” he said.

“They may become temporarily unresponsive, but will be fine after a reboot. Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices.”

Read more: Search Lab finds numerous flaws in AVTech cameras and DVRs

The post Malware makes the Internet a “torture chamber” for DVR devices  appeared first on Internet of Business.

Internet of Business

Kaspersky: IoT malware attacks have more than doubled over the past year

Security experts at Kaspersky report the number of IoT malware attacks have more than doubled over the past year.

Kaspersky monitor attacks with a ‘honeypot’ of insecure devices which imitate IoT devices. In 2016, the company detected 3,219 samples of different malware. As of May this year, Kaspersky’s honeypot caught 7,242 samples.

The rapidly increasing number of IoT devices around the globe has always been expected to be a prime target for cybercriminals. As we saw in the record-breaking DDoS (Distributed Denial of Service) attack on Dyn last year, the sheer amount of traffic from various locations all over the world can overwhelm even the best defenses.

But although botnets are the most common scenario and can be devastating to businesses who fall victim to attacks, they’re not the biggest concern for individuals. Malware can make consumer devices perform illegal activities or be used to spy on users for blackmail purposes. When infected, perhaps the best a user can hope for is that it simply bricks the device…

Earlier this year, an IoT malware variant called ‘BrickerBot’ began circulating. As the name suggests, its sole purpose is to render devices unusable. The malware has been praised by some in the cybersecurity field – with many observing it could have been created by a vigilante hacker – as it’s prevented insecure devices otherwise being hijacked for nefarious purposes. While it bricks devices which consumers have spent their hard-earned cash on, it could prevent them landing in prison or becoming the victim of blackmail. Furthermore, the consumer is within their right to demand a replacement or refund from the device manufacturer for not ensuring their product is adequately secured and safe to use.

One of the most common vulnerabilities is the use of default admin passwords which users aren’t prompted to change. Over 63% of infected devices which attacked Kaspersky’s honeypot could be identified as DVR services or IP cameras, while about 20% were different types of network devices and routers from all the major manufacturers. 1% were WiFi repeaters and other network hardware, TV tuners, Voice over IP devices, Tor exit nodes, printers and ‘smart-home’ devices. About 20% of devices could not be identified unequivocally.

Within ‘just a few seconds’ of setting up their honeypot, Kaspersky began seeing attempted connections to an open telnet port. Over a 24-hour period, there were ‘tens of thousands of attempted connections from unique IP addresses.’

Kaspersky’s research makes it clear the plight of insecure IoT devices remains a growing threat and manufacturers need to ensure their products are secure before they’re made public and/or issue software patches urgently to existing customers. Until then, Kaspersky recommends blocking your device from being accessed outside your local network where possible, and to change any default passwords before the product is used online.

Are you surprised at the pace of IoT malware growth? Share your thoughts in the comments. Latest from the homepage