Vulnerabilities / Threats

1/22/2018
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Satori Botnet Malware Now Can Infect Even More IoT Devices

Latest version targets systems running ARC processors.

The authors of the Satori IoT malware family have dramatically increased their pool of bot recruits for attack botnets with a new version of the tool targeting systems running ARC processors.

The latest Satori variant, the fourth since the malware first surfaced in Dec. 2017, appears to be the first aimed specifically at ARC chipsets, DDoS attack mitigation vendor Arbor Networks said in an advisory this week.   

ARC processors are 32-bit power-efficient CPUs that are used in a wide range of applications including automotive, industrial, and IoT. More than 1.5 billion embedded systems containing ARC cores ship every year, including electronic steering controls and infotainment systems in cars, as well as personal fitness bands and digital TV set tops, and smart thermostats.

Like other Satori variants, the newest one also leverages the Mirai code base. Like Mirai, it is designed to propagate through credential scanning, meaning the malware can potentially infect any ARC device with default and easily guessable telnet usernames and passwords. The previous Satori variant specifically targeted Huawei routers.

It's hard to say which specific ARC-based devices the Satori authors are hoping to target because of the huge installed base of systems, says Peter Arzamendi, security researcher at NETSCOUT, Arbor's Security Engineering & Response Team. 

However, "botnets that target new and novel types of IoT devices is the new normal," he says. "With the proliferation of IoT and BYOD, enterprises will need to understand how to both defend these devices and be able to respond when they are compromised," Arzamendi says.

Support for ARC processors allows Satori variants to target a wide range of systems including those based on Intel, ARM, MIPS, PPC, and SuperH processor architectures. All of the variants differ slightly in targeting and in capabilities.

Building malware for a new processor architecture like ARC is not too difficult an endeavor and only requires a compiler that supports the architecture, and some open source tools to help with porting code, says Arzamendi.

"IoT [botnets] depend on compromising as many devices as possible. Threat actors will have less competition by focusing on new types of devices that others are not targeting," he says of the latest Satori development.

On Defense

With DDoS-capable malware available for a wider range of Internet-connected devices than when Mirai first surfaced in late 2016, network operators need to review their defense strategies, according to Arbor.

In addition to protections against DDoS attacks, businesses need to ensure their own IoT network and device is not being used in DDoS attacks, Arbor said. "The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices are not proactively implemented," the security vendor said in its advisory.

Adam Meyers, vice president of intelligence at CrowdStrike, says organizations need to invest in DDoS protection if they haven't done so already, and ensure they know what to do in the event of an attack. Tabletop exercises are a great way to ensure that all stakeholders are in lockstep when an attack does occur, he says.

"Protecting against IoT botnets will become increasingly difficult as IoT devices age in place," Meyers says. "A bulk of these devices is going to remain deployed as long as they continue to function, and patching will not be widespread. In addition, new vulnerabilities in some of these platforms will continue to be identified."

In addition to DDoS attacks, enterprises should also be aware of the fact that IoT botnets can be used for other purposes such as: creating a non-attribution proxy network for criminal enterprises, distributing spam, and hosting Web content for phishing.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-8656
PUBLISHED: 2018-05-22
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
CVE-2017-2609
PUBLISHED: 2018-05-22
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
CVE-2017-2617
PUBLISHED: 2018-05-22
hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed.
CVE-2018-11372
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User Panel ToId parameter.
CVE-2018-11373
PUBLISHED: 2018-05-22
iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" User Panel ToId parameter.