Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/9/2017
04:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New IoT Botnet Discovered, 120K IP Cameras At Risk of Attack

The Persirai IoT botnet, which targets IP cameras, arrives hot on the heels of Mirai and highlights the growing threat of IoT botnets.

Researchers at Trend Micro have discovered a new Internet of Things (IoT) botnet that leaves than 120,000 Internet Protocol (IP) cameras vulnerable to attack.

The botnet, dubbed Persirai, was discovered targeting more than 1,000 different models of IP cameras. Persirai hits IoT devices a few months after the Mirai botnet, which wreaked havoc by compromising DVRs and CCTV cameras to fuel a massive DDoS attack in October 2016.

The researchers uncovered Persirai when they found four command and control (C&C) servers and explored the vulnerabilities associated with them, explains Jon Clay, global director of threat communications at Trend Micro.

In analyzing the malware, they found it was targeting IP cameras. Using the Shodan tool, they spotted more than 120,000 devices exposed on the public Internet. IP cameras are visible targets for IoT malware because they usually use the Universal Plug and Play (UPnP) open network protocols that let devices open a port on the router and act as a server.

The most notable difference between Mirai and Persirai is that Mirai used brute-force login attempts to steal credentials, and Persirai uses a zero-day vulnerability made public months ago. Attackers exploiting this vulnerability can get the password file from the user, which gives them access to the device.

After they get into the victim camera, the attacker can use it to perform a DDoS attack on other computers with User Datagram Protocol (UDP) floods, as described on the Trend Micro blog. The threat actor can provide an IP address in the port where they want to launch the DDoS attempt, and target any IP in the world.

The compromised camera can be used to discover other victims, which can be infected using the same zero-day vulnerability. From there, they can continue stealing password files and securing the ability to perform command injections and continue the spread of malicious code.

Researchers found affected IP cameras report to C&C servers using the .IR country code, which is managed by an Iranian research institute. They also discovered special Persian characters used by the malware author. However, this does not indicate the attacker is Iranian.

Clay says the use of this zero-day vulnerability indicates Persirai will continue to be a threat. Interestingly, the malware erases itself once the target machine has been infected, and will only run in memory. This makes it tougher to detect code once it's gone.

"Attackers behind this are likely to continue and pursue other vulnerabilities, and look for other IoT devices that have similar vulnerabilities associated with them," he explains. The attacker can build a bigger, or separate, botnet focused on those devices.

Mirai taught us that it doesn't take a lot of devices to cause a massive DDoS attack, Clay continues. With more than 100,000 IP cameras left vulnerable, there is a high risk.

"Their devices are going to be used to potentially perform DDoS attacks against other organizations or other people," he says of potential victims. "You're unwittingly being used as a pawn in a criminal's efforts."

IP camera users are advised to stay updated on the latest security patches and strengthen passwords so they are tougher to brute-force attack. Most users don't know their IP cameras are exposed online and don't change the default password, researchers explain. Many won't even know if their IP camera is conducting a DDoS attack.

Manufacturers need to work on improving the login process by looking beyond passwords and using biometrics or two-factor authentication to strengthen device security, says Clay.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .