man at computer

DHS warns of BrickerBot Threat to Internet of Things

In-brief: the Department of Homeland Security is warning about destructive attacks by BrickerBot, a new piece of malicious software that attacks Linux devices and renders them useless, wiping out critical configuration information and data from the devices. 

The Department of Homeland Security is warning about destructive attacks by BrickerBot, a new piece of malicious software that attacks Linux devices and renders them useless, wiping out critical configuration information and data from the devices.

The DHS warning, issued on Wednesday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT), follows a report by the firm Radware last week describing the new threat. ICS-CERT said it is working to identify vendors and affected devices, but advised critical infrastructure vendors to make sure Telnet access was disabled on connected devices and to change any default credentials.

Two versions of BrickerBot were identified in quick succession in recent weeks and have been observed attacking and wrecking devices running BusyBox, a common Linux distribution that is common on embedded devices of all sorts, as well as Dropbear SSH server, a compact secure shell (SSH) server and client that are also popular with resource-limited embedded systems.

Like the Mirai botnet, the BrickerBot variants, dubbed BrickerBot.1 and BrickerBot.2 exploit hard-coded user names and passwords in IoT devices. The malware was run from a network of compromised networking devices manufactured by Ubiquity. It gained access to vulnerable devices using brute force password guessing attempts on Telnet, a remote management service that is enabled by default on many devices.

Like Mirai, BrickerBot attempted common and default username and  password combinations such as root/root and root/vizxv, Radware reported. The targeted IoT devices all had their Telnet port open and exposed publicly on the Internet – similar to the devices targeted by Mirai or related IoT botnets.

On devices that are successfully hacked, BrickerBot performs a series of Linux commands that corrupt data stored on the device and commands that disrupt Internet connectivity and performance and then wipe all files on the device.

In its alert, ICS-CERT echoed security recommendations from Radware including the use of network behavioral analysis to detect anomalies in network traffic and the use of  intrusion protection systems (IPS) to block the use of Telnet default credentials or resetting of Telnet connections. DHS encouraged any companies that find evidence of BrickerBot infections to report them to ICS-CERT.

As of the release of Radware’s report, actual incidents of BrickerBot attacks were few. The company recorded 1,895 attack attempts from locations around the world – hardly a massive outbreak. However, the widespread use of platforms like BusyBox across industries means the potential population of vulnerable devices is large and could include high value assets in critical infrastructure, clinical environments and more.

DHS advised readers to make sure that control system devices were not exposed to the public Internet, use virtual private network (VPN) software to secure access to such devices and to remove or disable default system accounts and use of strong passwords with any other accounts.

Comments are closed.