5 Things Solution Providers Need To Know About Brickerbot, The Newest IoT Malware

Brickerbot Shuts Down Vulnerable IoT Devices

The lack of security in various Internet of Things devices has been a major concern for the IT industry over the past year – and a new threat targeting vulnerable IoT devices is accelerating those fears.

IT security firm Radware recently revealed a new Internet of Things malware, called Brickerbot, which disables vulnerable IoT devices so they are left completely inoperable. This type of attack, which Radware described as a "permanent distributed denial of service," can destroy the firmware or basic functions of IoT device systems.

Here's everything solution providers need to know about Brickerbot.

Method Of Compromising Devices

Over a four-day period, Radware recorded 1,895 permanent denial-of-service attempts performed around several locations globally. The company recorded attempts from one short-lived bot, and then a second bot on the same date, at less than one hour apart, with lower intensity but more thorough. The Brickerbot attack used the same exploit vector used by Mirai attacks – Telnet brute force – to breach IoT devices.

Once it has successfully accessed the IoT device, Brickerbot performs a series of Linux commands that lead to corrupted storage, followed by commands that disrupt the device's internet connectivity and performance and wipes off all the files on the device.

"They are definitely targeting Internet of Things devices, such as IP cameras and DVRs," Pascal Geenens, cyber security evangelist at Radware, told CRN.

Targeted IoT Devices

According to Geenens, the Brickerbot attack was targeted specifically at Linux-based IoT devices, which have their Telnet port open and are exposed publicly on the internet. Those targeted are matching the devices that are targeted by Mirai or other IoT botnets.

Meanwhile, the permanent denial-of-service attempts originated from a limited number of IP addresses globally.

Gray Hat Hackers

Geenens said that the attacker could be a gray hat hacker who wants to expose vulnerable IoT devices or brick them to prevent future distributed denial-of-service attacks.

"Either we're looking at a gray hat hacker, who is trying to fix the DDoS problem, or someone who is angry at manufacturers, and who would bring awareness to the issue of IoT vulnerabilities," said Geenens. "They may want to take away the resources for future DDoS attacks by bricking vulnerable devices."

DDoS Versus PDoS

The Brickerbot hacks differ from the distributed denial-of-service attacks that are launched through vulnerable IoT devices and flood servers with data – such as the October DDoS attack, which was launched through IoT devices including webcams, routers and video recorders, overwhelming servers at Dynamic Network Services and taking down up to 1,200 websites.

"For DDoS, the devices are used in an attack, but not impacted," said Geenens. "They are using the devices as resources, not breaking them. With Brickerbot, the devices break."

Prevention

There are an array of methods that solution providers can use to help customers avoid the Brickerbot attack, according to Radware. For instance, customers need to change the device's factory default credentials, said Geenens.

"First and foremost, change the default password, and check that there's no other way to access the device," said Geenens. "I think manufacturers also need to take ownership and responsibility because consumers are used to plugging devices in and not taking the extra measures to secure them. Manufacturers need to make sure they have measures in place to secure the devices."

Solution providers can also help customers disable Telnet access to the devices and perform a network behavioral analysis to detect anomalies in traffic.