Vulnerabilities / Threats

1/22/2018
06:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Satori Botnet Malware Now Can Infect Even More IoT Devices

Latest version targets systems running ARC processors.

The authors of the Satori IoT malware family have dramatically increased their pool of bot recruits for attack botnets with a new version of the tool targeting systems running ARC processors.

The latest Satori variant, the fourth since the malware first surfaced in Dec. 2017, appears to be the first aimed specifically at ARC chipsets, DDoS attack mitigation vendor Arbor Networks said in an advisory this week.   

ARC processors are 32-bit power-efficient CPUs that are used in a wide range of applications including automotive, industrial, and IoT. More than 1.5 billion embedded systems containing ARC cores ship every year, including electronic steering controls and infotainment systems in cars, as well as personal fitness bands and digital TV set tops, and smart thermostats.

Like other Satori variants, the newest one also leverages the Mirai code base. Like Mirai, it is designed to propagate through credential scanning, meaning the malware can potentially infect any ARC device with default and easily guessable telnet usernames and passwords. The previous Satori variant specifically targeted Huawei routers.

It's hard to say which specific ARC-based devices the Satori authors are hoping to target because of the huge installed base of systems, says Peter Arzamendi, security researcher at NETSCOUT, Arbor's Security Engineering & Response Team. 

However, "botnets that target new and novel types of IoT devices is the new normal," he says. "With the proliferation of IoT and BYOD, enterprises will need to understand how to both defend these devices and be able to respond when they are compromised," Arzamendi says.

Support for ARC processors allows Satori variants to target a wide range of systems including those based on Intel, ARM, MIPS, PPC, and SuperH processor architectures. All of the variants differ slightly in targeting and in capabilities.

Building malware for a new processor architecture like ARC is not too difficult an endeavor and only requires a compiler that supports the architecture, and some open source tools to help with porting code, says Arzamendi.

"IoT [botnets] depend on compromising as many devices as possible. Threat actors will have less competition by focusing on new types of devices that others are not targeting," he says of the latest Satori development.

On Defense

With DDoS-capable malware available for a wider range of Internet-connected devices than when Mirai first surfaced in late 2016, network operators need to review their defense strategies, according to Arbor.

In addition to protections against DDoS attacks, businesses need to ensure their own IoT network and device is not being used in DDoS attacks, Arbor said. "The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices are not proactively implemented," the security vendor said in its advisory.

Adam Meyers, vice president of intelligence at CrowdStrike, says organizations need to invest in DDoS protection if they haven't done so already, and ensure they know what to do in the event of an attack. Tabletop exercises are a great way to ensure that all stakeholders are in lockstep when an attack does occur, he says.

"Protecting against IoT botnets will become increasingly difficult as IoT devices age in place," Meyers says. "A bulk of these devices is going to remain deployed as long as they continue to function, and patching will not be widespread. In addition, new vulnerabilities in some of these platforms will continue to be identified."

In addition to DDoS attacks, enterprises should also be aware of the fact that IoT botnets can be used for other purposes such as: creating a non-attribution proxy network for criminal enterprises, distributing spam, and hosting Web content for phishing.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.