Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Hacking Hackers: IoT Attack Script Embedded With Backdoor

Hackers hack hackers. There’s no surprise there. Big fish eat little fish. In the past, money mule recruiters have been known to use their recruitment adverts as a lure to get targets to visit a malicious site; while more recently it is suggested that cyberspies hack cyberspies.

Hackers hack hackers. There’s no surprise there. Big fish eat little fish. In the past, money mule recruiters have been known to use their recruitment adverts as a lure to get targets to visit a malicious site; while more recently it is suggested that cyberspies hack cyberspies.

Now NewSky Security has found a doubly dubious script kiddie hacking script that contains an obfuscated backdoor inserted by the developer. “On 22nd October 2017,” blogged NewSky’s principal researcher Ankit Anubhav on Wednesday, “we observed a shady yet popular site that often hosts IoT botnet scripts had a new piece of code to offer. Labeled as “NEW IPCAM EXPLOIT”, this script promised to make the work of script kiddies easy by helping them locate IoT devices that use the potentially vulnerable embedded GoAhead server.”

Many different IP cameras are vulnerable, and they figure heavily in IoT botnets such as Mirai and Reaper.

This script intrigued NewSky — unusually, it was cyphered multiple times and archived with gzip. They deciphered it and found a script that would determine whether an IoT device uses the embedded and vulnerable GoAhead server. But they also found a backdoor that uses a shellscript to connect to a malicious server to download and execute another file — which NewSky determined to be the Kaiten botnet.

The motivation for this backdoor is simple. If a script kiddie uses it to gain a 10,000 strong IoT botnet, then multiple kiddies could rapidly gain an army of bots that could all be controlled by the original script developer. It’s a lazy way to build a large IoT botnet.

“Script kiddies often don’t bother trying to understand the tools they use,” comments F-Secure’s Andy Patel, “or read the code associated with those tools, so this is a pretty easy troll to pull off. Considering that there are ongoing turf-wars around the IoT botnets that are so popular with this crowd, I wouldn’t be surprised to hear about similar incidents in the future — or to find out that these things already happened, and we just didn’t hear about them.”

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.