Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

New Persirai IoT Botnet Emerges

Around 120,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products are vulnerable to a newly discovered Internet of Things (IoT) botnet, Trend Micro warns.

Around 120,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products are vulnerable to a newly discovered Internet of Things (IoT) botnet, Trend Micro warns.

Dubbed Persirai, the new botnet’s development comes on the heels of Mirai, the IoT malware that became highly popular in late 2016, after being involved in multiple high-profile distributed denial of service (DDoS) attacks. Similar to the recent Hajime botnet, Mirai mainly targets Digital Video Recorders (DVRs) and CCTV cameras.

According to Trend Micro, the newly discovered Persirai is targeting over 1,000 IP Camera models, with most users unaware that their devices are exposed to Internet-based attacks. As a result, the researchers argue, attackers can easily gain access to the devices’ web-based interfaces via TCP Port 81.

Because IP Cameras typically use the Universal Plug and Play (UPnP) protocol, which allows devices to open a port on the router and act like a server, they are highly visible targets for IoT malware. By accessing the vulnerable interface of these devices, an attacker can perform command injections to force the device to connect to a site, and download and execute malicious shell scripts.

After Persirai has been executed on the vulnerable device, the malware deletes itself and continues to run only in memory. Further, it blocks the zero-day exploit it uses to prevent other attackers from hitting the same IP Camera. Because the malicious code runs in the memory, however, a reboot renders the device vulnerable to the exploit once again.

Affected IP Cameras were observed reporting to several command and control (C&C) servers (load.gtpnet.ir, ntp.gtpnet.ir, 185.62.189[.]232, and 95.85.38[.]103). Upon receiving commands from the server, infected devices automatically start attacking other IP Cameras by exploiting a public zero-day vulnerability, which allows attackers to get the password file from the user and perform command injections.

The botnet can launch DDoS attacks via User Datagram Protocol (UDP) floods and can perform these attacks with SSDP packets without spoofing IP address.

The security researchers managed to link the botnet to C&C servers that were using the .IR country code, which is managed by an Iranian research institute and is restricted to Iranians only. Furthermore, the malware’s code contains some special Persian characters.  

Persirai appears built on Mirai’s source code, which was made publicly available in October last year. The malware targets even devices with the latest firmware versions installed, and can’t be slowed by the use of strong passwords because it abuses a password-stealing vulnerability. Thus, IP Camera owners should implement other security steps to ensure their devices are protected.

“The burden of IoT security does not rest on the user alone—it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits,” Trend Micro notes.

Related: Mirai Variant Has Bitcoin Mining Capabilities

Related: New Mirai Variant Unleashes 54-Hour DDoS Attack

Related: New BrickerBot Variants Emerge

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot...

ICS/OT

Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...