It never rains, but it pours, right folks? Well, our socks are wet now, and the water just keeps getting deeper. In a post on the security blog Malware Must Die by @unixfreaxjp from October 28, we find another DDoS botnet vulnerability aimed at the IoT specifically, and this time, ready for IPv6.
The investigator calls it Linux/IRCTelnet, which this investigator said looks like it is a new IRC botnet ELF malware, that can be and likely is being used for performing DDoS attacks through IoT devices via IRC botnet. He said it is partially coded per Tsunami/Kaiten protocols, but with additional features for malicious attack vectors and to aim at IoT devices via telnet protocols.
Apparently, it is a combination of Kaiten, for the IRC protocol, GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite for the telnet scanner, and the Mirai botnet credential list. It also has an encoded CNC so it can avoid plain text checking, and is partially coded in Italian just to make things more interesting. Finally, this botnet uses DoS attack mechanisms like UDP flood and TCP flood, in both IPv4 and IPv6 protocol, with an extra IP spoof option in IPv4 or IPv6.
As for origin, the researcher started with the knowledge that this botnet is a new version of Aidra bot, which helped in the search for similar executions and code. The result is that this is possibly by the known Italian hacker “d3m0n3” on the IRCNet.
Meanwhile, they saved partial IP address info for infected IoT devices they found, which have been shared with relevant authorities, and the writer noted that this is a significantly big botnet volume, especially considering it was only active for a few days, from October 25 to 28, at the time of publication.
Recommendations for mitigation include turning off global telnet open services and not using known vulnerable usernames or passwords. If a device is infected (or you’re not sure if it is), this can be removed by rebooting the infected devices, the post said. Of course it will then have to be secured against the intrusion, or it will be re-infected.
So, yeah. That’s a lot to absorb, and it looks pretty bad. You IT and security folks should click over to the original post for the code samples and more technical details, but I spoke to some security and code experts to get a sense for what all this means.
Sergei Golos, IT security professional and author of http://codeofserge.com, said that IoT devices are frequently coded based on Linux micro-boards, which introduces built-in vulnerabilities that allow these edge devices to not only perform the task they are designed to do, but also anything else a computer can do, including using the Internet to do just about anything, including DDoS attacks. All this means that the bug is that the software on the IoT device doesn't force users to configure unique passwords, which isn’t so much a coding issue as a design issue, he said.
Edward Faulkner, hacker, entrepreneur, Ember Core Team member and author of https://eaf4.com, called this Linux/IRCTelnet a “not-especially-clever botnet that scans for defenseless devices running open telnet servers with default passwords.” Of course this is a huge number of devices, because so many of the IoT devices at the edge are being sold (not just to consumers) with no prior thought to the security implications and no plan to patch future vulnerabilities.
Faulkner further recommended that folks avoid the risks by making sure IoT devices stay on private LANs that are unreachable from the wider Internet.
Of course, that’s not always possible, especially for enterprise users, so Mike Ahmadi, Global Director, Critical Systems Security, Synopsys, said that “Unless builders of IoT devices incorporate more rigorous vulnerability detection and management practices into their development process, we can expect more of this malware botnet free for all to occur.”
The shortest version of this story is that the IoT’s chickens are coming home to roost. You’ve been building fast and cheap, rushing to market, and escaping the notice of the bad actors out there because the industry was so small.
We’ve hit the big time now, my friends. How about we start acting like it?
Edited by Alicia Young