Menu

IoT FEATURE NEWS

Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS

By

It never rains, but it pours, right folks? Well, our socks are wet now, and the water just keeps getting deeper. In a post on the security blog Malware Must Die by @unixfreaxjp from October 28, we find another DDoS botnet vulnerability aimed at the IoT specifically, and this time, ready for IPv6.

The investigator calls it Linux/IRCTelnet, which this investigator said looks like it is a new IRC botnet ELF malware, that can be and likely is being used for performing DDoS attacks through IoT devices via IRC botnet. He said it is partially coded per Tsunami/Kaiten protocols, but with additional features for malicious attack vectors and to aim at IoT devices via telnet protocols.

Apparently, it is a combination of Kaiten, for the IRC protocol, GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite for the telnet scanner, and the Mirai botnet credential list. It also has an encoded CNC so it can avoid plain text checking, and is partially coded in Italian just to make things more interesting. Finally, this botnet uses DoS attack mechanisms like UDP flood and TCP flood, in both IPv4 and IPv6 protocol, with an extra IP spoof option in IPv4 or IPv6.

As for origin, the researcher started with the knowledge that this botnet is a new version of Aidra bot, which helped in the search for similar executions and code. The result is that this is possibly by the known Italian hacker “d3m0n3” on the IRCNet.

Meanwhile, they saved partial IP address info for infected IoT devices they found, which have been shared with relevant authorities, and the writer noted that this is a significantly big botnet volume, especially considering it was only active for a few days, from October 25 to 28, at the time of publication.

Recommendations for mitigation include turning off global telnet open services and not using known vulnerable usernames or passwords. If a device is infected (or you’re not sure if it is), this can be removed by rebooting the infected devices, the post said. Of course it will then have to be secured against the intrusion, or it will be re-infected.

So, yeah. That’s a lot to absorb, and it looks pretty bad. You IT and security folks should click over to the original post for the code samples and more technical details, but I spoke to some security and code experts to get a sense for what all this means.

Sergei Golos, IT security professional and author of http://codeofserge.com, said that IoT devices are frequently coded based on Linux micro-boards, which introduces built-in vulnerabilities that allow these edge devices to not only perform the task they are designed to do, but also anything else a computer can do, including using the Internet to do just about anything, including DDoS attacks. All this means that the bug is that the software on the IoT device doesn't force users to configure unique passwords, which isn’t so much a coding issue as a design issue, he said.

Edward Faulkner, hacker, entrepreneur, Ember Core Team member and author of https://eaf4.com, called this Linux/IRCTelnet a “not-especially-clever botnet that scans for defenseless devices running open telnet servers with default passwords.” Of course this is a huge number of devices, because so many of the IoT devices at the edge are being sold (not just to consumers) with no prior thought to the security implications and no plan to patch future vulnerabilities.

Faulkner further recommended that folks avoid the risks by making sure IoT devices stay on private LANs that are unreachable from the wider Internet.

Of course, that’s not always possible, especially for enterprise users, so Mike Ahmadi, Global Director, Critical Systems Security, Synopsys, said that “Unless builders of IoT devices incorporate more rigorous vulnerability detection and management practices into their development process, we can expect more of this malware botnet free for all to occur.”

The shortest version of this story is that the IoT’s chickens are coming home to roost. You’ve been building fast and cheap, rushing to market, and escaping the notice of the bad actors out there because the industry was so small.

We’ve hit the big time now, my friends. How about we start acting like it?




Edited by Alicia Young
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Editorial Director

SHARE THIS ARTICLE
Related Articles

KORE Wireless Group Acquires Twilio's IoT Division

By: Alex Passett    3/27/2023

KORE Wireless Group, a MVNO, announced that it signed a deal to acquire the IoT division of the customer engagement platform and programmable communic…

Read More

Quectel's New CC200A-LB Satellite Module, Reliable and Ready for a Wide Range of IoT Applications

By: Alex Passett    3/24/2023

Quectel has launched its CC200A-LB satellite module, which is designed to provide reliable global connectivity at a cost-effective price point, making…

Read More

'Hello' from Quectel's New Wi-Fi HaLow Module, Launched for Improved Indoor and Outdoor IoT

By: Alex Passett    3/23/2023

Quectel launched its IEE 802.11ah wireless networking protocol, known as Wi-Fi HaLow, for augmented IoT applications both indoors and outdoors.

Read More

The Future of IoT Core and Debating Build vs. Buy Options

By: Matthew Vulpis    3/23/2023

With large third-party providers sunsetting their IoT solutions, the time is now for organizations to make the choice to either build or buy.

Read More

Keyfactor Joins the CSA to Deepen IoT Connectivity and Secure Digital Trust

By: Alex Passett    3/21/2023

As the latest member of the Connectivity Standards Alliance (CSA), software company and IoT identity platform Keyfactor looks to better tap into the u…

Read More