New malware has been spotted in the wild targeting insecure Internet of Things (IoT) devices. But instead of harnessing them to a distributed denial of service (DDoS) network or other malicious deeds, BrickerBot - as the name suggests - threatens to brick them instead.
The malware has been detected on honeypot servers maintained by DDoS protection company Radware. It describes the type of attack as a "permanent denial-of-service" (PDoS)
"Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage," warned the company in a Threat Advisory.
The company claims to have picked up two distinct, different waves of what it has called BrickerBot from different bot-nets. The second, it claims, was concealed by Tor egress nodes.
"The BrickerBot PDoS attack used Telnet brute force - the same exploit vector used by Mirai - to breach a victim's devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv'," warned the company.
IoT devices with hard-wired credentials - there are some - could therefore quickly be rendered useless by such a targeted attack.
"Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device…
"Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium).
"The sysctl commands attempt to reconfigure kernel parameters: net.ipv4.tcp_timestamps=0 disables TCP timestamps, which does not affect local LAN IPv4 connectivity, but seriously impacts the internet communication, and kernel.threads-max=1 limits the max number of kernel threads to one."
The researchers suggest that the version of BrickerBot they have picked up is targeted at Linux/BusyBox IoT devices that have their Telnet ports open and publicly exposed to the internet - the same as the devices targeted by Mirai.
The authors of BrickerBot, and the people behind the wave of attacks picked up by Radware, are currently unknown. It may be malicious in intent, but equally it could be intended to take known vulnerable devices offline so that they pose no threat in future.
Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now:
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix