Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



New BrickerBot Variants Emerge

New variants of a recently discovered BrickerBot Internet of Things (IoT) malware capable of permanently disabling devices were observed last week, Radware security researchers warn.

New variants of a recently discovered BrickerBot Internet of Things (IoT) malware capable of permanently disabling devices were observed last week, Radware security researchers warn.

BrickerBot first emerged about a month ago, with two variants observed in early April. The first threat had a short life span of less than a week and targeted BusyBox-based Linux devices. The other is still activ and targeting devices both with and without BusyBox. Devices with an exposed Telnet service that is secured with default credentials are potential victims.

The malware was designed to disable certain functionality on the targeted devices, corrupt storage, and wipe files. Because the compromised devices are rendered useless, the researchers called this type of attack Permanent Denial-of-Service (PDoS).

Given the potential damaging power of BrickerBot, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert to warn users and organizations alike of the risks they are exposed to when using IoT devices that aren’t properly secured.

Now, Radware says that two new BrickerBot variants are making the rounds, also focused on disabling IoT devices. They appear to have new command sequences, although similar to the previous variants, and have already launched thousands of attacks.

Targeting six device types that BrickerBot.1 was hitting but also capable of compromising several other device types, BrickerBot.3 attempts to disrupt connectivity by removing the default route and disabling TCP timestamps, while also wiping the root and limiting the number of kernel threats to 1. It focuses on the devices prone to Mirai attacks.

Radware detected 1118 PDoS attempts within the first 12 hours of activity on April 12, with all attacks launched from a limited number of clearnet IP addresses (the devices appear to be running an outdated version of the Dropbear SSH server). The number of bots performing these attacks grew to 15 within the first 12 hours.

“The devices used to perform the PDoS attacks on Radware’s honeypot do not correspond to the devices from BrickerBot.1. Although BrickerBot.1 was also abusing a limited number of clearnet connected devices to perform its attack, there is no immediate correlation between both,” Radware says. However, they were using a different honeypot when detecting the new variant.

Dubbed BrickerBot.4, the other new variant was hitting from a single device located on the Clearnet and running an outdated version of the Dropbear SSH server. This isolated bot performed 90 attacks and was active only for several hours.

“It is not possible to assess how widely spread the attacks are, but the potential damage BrickerBot.3 poses a clear and present danger for any IoT device with factory default credentials,” the security researchers warn.

According to a recent article on BleepingComputer, however, BrickerBot might have damaged over 2 million devices. His author, who goes by the online handle of Janit0r, claims to have created the malware to raise awareness of the risks insecure IoT devices pose. He sees the bot as a cure for the threat posed by IoT botnets, after they have been associated with a large number of distributed denial of service attacks in the second half of last year.

Related: ICS-CERT Warns of BrickerBot’s IoT Device Damaging Capabilities

Related: New Mirai Variant Unleashes 54-Hour DDoS Attack

Related: New “Ghost Host” Technique Boosts Botnet Resiliency

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...