Friday, March 29, 2024

Permanent Denial-of-Service attack with IOT devices-BrickerBot

PDoS is an attack that harms a system so severely that it requires substitution or re-installation of hardware.By abusing security defects or misconfigurations, PDoS can decimate the firmware or potentially functions of system.

As per the analysis from Radware’s honeypot around 1,895 PDoS attempts where recorded with malware strain BrickerBot from several location around the Globe.

It is compromising only Linux/BusyBox-based IoT devices which have their Telnet port open and exposed publically on the Internet.

Attack classified into two stages.

  • BrickerBot.1  –  short-lived bot.
  • BrickerBot.2  –  Bot that initiates PDoS attempts.

BrickerBot Attacking Vector

BrickerBot uses traditional Brute force method to initiate the attack, upon successful mitigation it runs a series of LINUX commands.

Which leads to corrupted storage, trailed by commands to disturb Internet network, device execution, and then wiping of all records on the device.

Permanent Denial-of-Service with IOT devices-BrickerBot
Command sequence of BrickerBot.1
Source : Radware

In parallel, Radware’s honeypot recorded more than 333 PDoS endeavors with an alternate command signature. The source IP addresses from these endeavors are TOR Nodes and subsequently there is no recognizing the real wellspring of the attacks.

It is significant that these attacks are as yet progressing and the attacker/creator is utilizing TOR egress hubs to cover its bot(s).The first credentials attempted to brute the Telnet login are root/root and root/vizxv.

Permanent Denial-of-Service with IOT devices-BrickerBot
Command sequence of BrickerBot.2
Source : Radware
Among the special devices targeted are /dev/mtd (Memory Technology Device – a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard – a special device type that matches memory card standard, a solid-state storage medium)

BrickerBot Targets

The utilization of the “busybox” command combined with the MTD and MMC extraordinary devices implies this attack is focused on particularly at Linux/BusyBox-based IoT devices.

PDoS endeavors started from a predetermined number of IP locations spread the world over. All devices are exposing port 22 (SSH) and running very older version of the Dropbear SSH server.

Mitigations

  • Change the device’s factory default credentials.
  • Disable Telnet access to the device.
  • Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
  • User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
  • An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

Also Read

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles