Malware researchers at Check Point have uncovered a new massive IoT botnet that presented many similarities with the dreaded Mirai.
The new thing bot emerged at the end of September and appears much more sophisticated, according to the experts the malware already infected more than one million organizations worldwide.
The malicious code tries to exploit many known-vulnerabilities in various IP camera models, including GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and Synology.
The experts speculate that the malware once compromised a device use it to spread itself.
“With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves.” reads the report published by Check Point.
“So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing,” continues Check Point.
While investigating the compromise of a GoAhead device the experts noticed that the attackers accessed the System.ini file. This file would contain the credentials of the user, but on the compromised IoT device it contained a ‘Netcat’ command to open a reverse shell to the attacker’s IP.
The attackers triggered the CVE-2017-8225 to hack into the IoT device. The experts verified that the botnet relies on compromise bots to sending out the infection.
“These attacks were coming from many different types of devices and many different countries, totaling approximately 60% of the corporate networks which are part of the ThreatCloud global network,” Check Point notes.
The security researchers provided a list of IoT devices targeted by the malware, even if the attackers’ motivation is unclear experts speculate the botnet could be used to power DDoS attacks.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.