The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert on BrickerBot, a piece of malware designed to permanently disable Internet of Things (IoT) devices.
Discovered earlier this month, the malware is capable of what Radware researchers call Permanent Denial-of-Service (PDoS). Two versions of the malware were observed to date, both featuring the same capabilities: they can damage the compromised devices’ firmware and disable basic functions.
Citing the Radware report, ICS-CERT warns that one version of BrickerBot is targeting devices running BusyBox that have an exposed Telnet command window, and which also have SSH exposed through an older version of Dropbear SSH server. Identified as Ubiquiti network devices, most of these run outdated firmware, while some are access points or bridges with beam directivity.
The second malware variant is targeting Linux-based devices both with and without BusyBox, but which expose a Telnet service secured with default or hard-coded passwords. This variant also uses TOR exit nodes to hide the source of the attack, ICS-CERT’s alert also points out.
While BrickerBot.1 has been active for only about a week, between March 20 and March 25, BrickerBot.2 continues to operate. What is not known for the time being, however, is what type of devices are used to launch these attacks, or how many of them are.
In a new announcement, Radware reveals that the IP camera they tested the discovered malware on stopped working completely, and that a factory reset didn’t restore functionality. The security firm also notes that users might not even be aware of the malware attack, and could simply believe they bought faulty hardware.
Some experts warn that Brickerbot could be a threat to devices residing on industrial networks.
“BrickerBot is obviously a threat to OT systems," Edgard Capdvielle, CEO of Nozomi Networks, told SecurityWeek. "Should Industrial Control Systems (ICS) components to suddenly fail without warning, the effects could be significant. Industrial automation systems could experience abnormal behavior or event outages."
ICS-CERT says it is working on identifying vendors of affected devices and on collecting detailed mitigation information. Until that happens, however, users can take some steps to protect their devices, such as changing the default credentials, disabling Telnet access to the device, and setting intrusion protection systems to block Telnet default credentials or reset Telnet connections.
These steps should keep devices protected from other threats as well, including Mirai, the distributed denial of service botnet that has been wreaking havoc among insecure IoT devices for more than half a year.
“ICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack,” ICS-CERT’s alert reads.
“IoT designers and manufacturers must start presuming that their devices will be subject to attack the minute they are connected to the Internet. The industry needs to make security as high a priority as performance and free overnight shipping,” Diotte said.
Updated with commentary from Edgard Capdvielle