The authors of the Satori IoT malware family have dramatically increased their pool of bot recruits for attack botnets with a new version of the tool targeting systems running ARC processors.
The latest Satori variant, the fourth since the malware first surfaced in Dec. 2017, appears to be the first aimed specifically at ARC chipsets, DDoS attack mitigation vendor Arbor Networks said in an advisory this week.
ARC processors are 32-bit power-efficient CPUs that are used in a wide range of applications including automotive, industrial, and IoT. More than 1.5 billion embedded systems containing ARC cores ship every year, including electronic steering controls and infotainment systems in cars, as well as personal fitness bands and digital TV set tops, and smart thermostats.
Like other Satori variants, the newest one also leverages the Mirai code base. Like Mirai, it is designed to propagate through credential scanning, meaning the malware can potentially infect any ARC device with default and easily guessable telnet usernames and passwords. The previous Satori variant specifically targeted Huawei routers.
It's hard to say which specific ARC-based devices the Satori authors are hoping to target because of the huge installed base of systems, says Peter Arzamendi, security researcher at NETSCOUT, Arbor's Security Engineering & Response Team.
However, "botnets that target new and novel types of IoT devices is the new normal," he says. "With the proliferation of IoT and BYOD, enterprises will need to understand how to both defend these devices and be able to respond when they are compromised," Arzamendi says.
Support for ARC processors allows Satori variants to target a wide range of systems including those based on Intel, ARM, MIPS, PPC, and SuperH processor architectures. All of the variants differ slightly in targeting and in capabilities.
Building malware for a new processor architecture like ARC is not too difficult an endeavor and only requires a compiler that supports the architecture, and some open source tools to help with porting code, says Arzamendi.
"IoT [botnets] depend on compromising as many devices as possible. Threat actors will have less competition by focusing on new types of devices that others are not targeting," he says of the latest Satori development.
With DDoS-capable malware available for a wider range of Internet-connected devices than when Mirai first surfaced in late 2016, network operators need to review their defense strategies, according to Arbor.
In addition to protections against DDoS attacks, businesses need to ensure their own IoT network and device is not being used in DDoS attacks, Arbor said. "The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices are not proactively implemented," the security vendor said in its advisory.
Adam Meyers, vice president of intelligence at CrowdStrike, says organizations need to invest in DDoS protection if they haven't done so already, and ensure they know what to do in the event of an attack. Tabletop exercises are a great way to ensure that all stakeholders are in lockstep when an attack does occur, he says.
"Protecting against IoT botnets will become increasingly difficult as IoT devices age in place," Meyers says. "A bulk of these devices is going to remain deployed as long as they continue to function, and patching will not be widespread. In addition, new vulnerabilities in some of these platforms will continue to be identified."
In addition to DDoS attacks, enterprises should also be aware of the fact that IoT botnets can be used for other purposes such as: creating a non-attribution proxy network for criminal enterprises, distributing spam, and hosting Web content for phishing.
- Hacker Targeted Huawei Router 0-Day in Attempt to Create New Mirai Botnet
- IOTroop Botnet Hits Over a Million Organizations in Under 30 Days
- 'Reaper' IoT Botnet Likely a DDoS-for-Hire Tool
- 8 Ways IoT Manufacturers Can Improve Security