BrickerBot Malware Emerges, Permanently Bricks IoT Devices

A newly uncovered malware is currently making headlines targeting Internet of Things (IoT) devices: BrickerBot. While its attack vector is reportedly similar to Mirai (detected by Trend Micro as ELF_MIRAI family), which turns infected devices into bots, BrickerBot “bricks” the device it infects, rendering the device permanently inoperable.

BrickerBot is a real-world instance of phlashing—or permanent denial of service (PDoS)—in which security flaws in the device’s hardware are exploited and its firmware modified.

Like other malware, like Mirai and LuaBot (ELF_LUABOT), that target IoT devices, BrickerBot employs dictionary attacks (via default or hardcoded credentials) to gain unauthorized access in the device. However, BrickerBot is unlike other malware in the IoT threat landscape that typically amass the infected devices into botnets that can be leveraged in distributed denial-of-service (DDos) attacks. BrickerBot instead executes a chain of malicious Linux commands that result in permanent damage in the device. Some of these commands include corrupting or misconfiguring the device’s storage capability and kernel parameters, hindering internet connection, tampering with device performance, and wiping all files on the device.

[From the Security Intelligence Blog: Mitigating attacks that can turn routers into zombies]

BrickerBot has two known versions. BrickerBot.1 targets IoT devices running BusyBox (a software that provides Unix-like utilities for environments like Linux and Android) with exposed Telnet or Secure Shell (SSH), the latter due to having an older SSH server version. Networking devices running outdated firmware are the most at risk. BrickerBot.2 targets Linux-based devices with exposed Telnet service and default (or hardcoded) credentials. This second version employs TOR exit nodes to anonymize or conceal its activities.

Trend Micro’s continuing analysis of BrickerBot indicates that the malware also exploits remote code execution vulnerabilities in routers. Initial telemetry also confirmed reports of BrickerBot’s use of default username/password combinations “root/root” and “root/vizxv” to log into the device, along with the malicious payload that randomly writes to the device’s storage.

[READ: How to secure routers against home network attacks]

With the advent of Mirai last year and the significant impact it posed to enterprises and individual end users, the need to secure IoT devices couldn’t be more important. BrickerBot is also a reflection of the larger role IoT devices increasingly play in today’s cyber-attacks, given their growing adoption especially among enterprises like those in the manufacturing and energy sectors. Even something as relatively benign as an individual user’s home router can be ‘zombified’ to do the attacker’s bidding—targeting organizations and their company assets, or pilfering the infected device’s data .

Defending against BrickerBot

Given the destructive nature of BrickerBot, the U.S.’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released a security advisory for control system vendors, proprietors, and operators, and recommended to take defensive measures such as:

  • Minimizing network/internet exposure to all industrial control system (ICS) devices
  • Enabling firewalls and separating ICS devices from company networks
  • Employing Virtual Private Networks when remotely accessing ICS devices
  • Applying patches/system updates regularly and whenever possible
  • Add authentication mechanisms while scrutinizing administrator-level accounts

The most effective countermeasure against BrickerBot is to change and strengthen the device’s default credentials to lessen their susceptibility to unauthorized access. Disabling components like remote administration features such as Telnet—which BrickerBot is known to leverage—should also be considered.

Apart from these, enterprises and end users can prevent BrickerBot from bricking their IoT devices by keeping the device and its firmware updated to patch vulnerabilities that can be used as entry points into the device. Deploying intrusion prevention systems in the gateway can also provide an additional layer of security by detecting and blocking intrusions in the gateway. IT administrators and information security professionals should also be proactive in spotting suspicious or malicious activity within their organization’s network.

Unfortunately, many IoT devices also come with fixed or hardcoded credentials, utilities, and services that cannot be disabled, updated, or patched. Indeed, BrickerBot not only serves as a wake-up call to enterprises and home users; it also entails the responsibility of vendors to improve the security of the IoT devices they manufacture.

Trend Micro Solutions:

Trend Micro™ Deep Security™ protects endpoints from threats that exploit vulnerabilities. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update.

TippingPoint’s Integrated Advanced Threat Prevention provides actionable security intelligence, shielding against vulnerabilities and exploits, and defending against known and zero-day attacks. TippingPoint’s solutions, such as Advanced Threat Protection and Intrusion Prevention System, powered by XGen™ security, use a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis to detect and block attacks and advanced threats.

TippingPoint customers are protected from this threat with the following ThreatDV filter:

  • 27944: HTTP: ELF_MIRAI.A (BrickerBot) Checkin

Deep Discovery Inspector protects customers from this threat via this DDI Rule:

  • DDI Rule 3285: MIRAI – HTTP (Request)

Trend Micro’s Smart Home Network Security protects customers from threats related to BrickerBot via these detection rules:

  • 1133255: WEB Remote Command Execution in XML -1
  • 1133121: TELNET Default Password Login -14
  • 1133598: MALWARE Suspicious IoT Worm TELNET Activity -3
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.