Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

New Persirai IoT Botnet Emerges

Around 120,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products are vulnerable to a newly discovered Internet of Things (IoT) botnet, Trend Micro warns.

Around 120,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products are vulnerable to a newly discovered Internet of Things (IoT) botnet, Trend Micro warns.

Dubbed Persirai, the new botnet’s development comes on the heels of Mirai, the IoT malware that became highly popular in late 2016, after being involved in multiple high-profile distributed denial of service (DDoS) attacks. Similar to the recent Hajime botnet, Mirai mainly targets Digital Video Recorders (DVRs) and CCTV cameras.

According to Trend Micro, the newly discovered Persirai is targeting over 1,000 IP Camera models, with most users unaware that their devices are exposed to Internet-based attacks. As a result, the researchers argue, attackers can easily gain access to the devices’ web-based interfaces via TCP Port 81.

Because IP Cameras typically use the Universal Plug and Play (UPnP) protocol, which allows devices to open a port on the router and act like a server, they are highly visible targets for IoT malware. By accessing the vulnerable interface of these devices, an attacker can perform command injections to force the device to connect to a site, and download and execute malicious shell scripts.

After Persirai has been executed on the vulnerable device, the malware deletes itself and continues to run only in memory. Further, it blocks the zero-day exploit it uses to prevent other attackers from hitting the same IP Camera. Because the malicious code runs in the memory, however, a reboot renders the device vulnerable to the exploit once again.

Affected IP Cameras were observed reporting to several command and control (C&C) servers (load.gtpnet.ir, ntp.gtpnet.ir, 185.62.189[.]232, and 95.85.38[.]103). Upon receiving commands from the server, infected devices automatically start attacking other IP Cameras by exploiting a public zero-day vulnerability, which allows attackers to get the password file from the user and perform command injections.

The botnet can launch DDoS attacks via User Datagram Protocol (UDP) floods and can perform these attacks with SSDP packets without spoofing IP address.

The security researchers managed to link the botnet to C&C servers that were using the .IR country code, which is managed by an Iranian research institute and is restricted to Iranians only. Furthermore, the malware’s code contains some special Persian characters.  

Advertisement. Scroll to continue reading.

Persirai appears built on Mirai’s source code, which was made publicly available in October last year. The malware targets even devices with the latest firmware versions installed, and can’t be slowed by the use of strong passwords because it abuses a password-stealing vulnerability. Thus, IP Camera owners should implement other security steps to ensure their devices are protected.

“The burden of IoT security does not rest on the user alone—it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits,” Trend Micro notes.

Related: Mirai Variant Has Bitcoin Mining Capabilities

Related: New Mirai Variant Unleashes 54-Hour DDoS Attack

Related: New BrickerBot Variants Emerge

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.