Security researchers have discovered a new form of the Hide and Seek IoT malware. The latest version can now survive a reboot of the infected device.
According to a blog post, researchers at Bitdefender have been tracking the variant since the end of April. Currently, the botnet has infected nearly 90,000 unique devices.
Bogdan Botezatu, senior e-threat analyst at Bitdefender said that new binaries now include code to leverage two new vulnerabilities to o compromise more IPTV camera models.
“In addition to the vulnerabilities, the bot can also identify two new types of devices and pass their default username and passwords,” he said.
The malware targets several generic devices. Once infected, the device scan for neighbouring peers for the presence of the telnet service. Botezatu said that as soon as the telnet service is found, the infected device attempts to bruteforce access. If the login succeds, the malware restricts access to port 23 to potentially prevent a competing bot from hijacking the device.
“This attack avenue targets a wide range of devices and architecture. Our research shows that the bot has 10 different binaries compiled for various platforms, including x86, x64, ARM (Little Endian and Big Endian), SuperH, PPC and so on,” he said.
When successfully infected, the malware copies itself in the /etc/init.d/ and adds itself to start with the operating system.
But the most worrying aspect of the new strain of malware is the ability to persist despite a reboot. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.
Botezatu said that to achieve persistence, the infection must take place via Telnet, as root privileges are required to copy the binary to the init.d directory.
“It subsequently opens a random UDP port that is propagated to the neighbouring bots. This port will be used by the cyber-criminals to get in touch with the device,” he said.
He added that the botnet may still be in its growth phase, as operators are “trying to seize as many devices as possible before adding weaponised features to the binary”.
Javvad Malik, security advocate at AlienVault, told SC Media UK that organisations that have deployed IoT devices should look to harden the devices by changing default configurations, disabling unneeded services, as well as protecting them within the network so they aren't easily accessible publicly and infected.
“Beyond that, threat detection controls should be deployed on the network that can monitor network traffic of IoT devices and alert when a device is communicating out of normal boundaries either using uncommon ports or communicating with unknown servers,” he said.
Patrick Hunter, director at One Identity, told SC Media UK that the crux of this attack is all around gaining permissions (root access) to copy itself into the init.d directory – something that is impossible without those permissions.
“There are two aspects to these attacks; one is gaining that access and the other is the route to the device. If all of the devices had their root passwords changed and locked away, so that no human knows them, and make them stronger as they don't need to be remembered then things are instantly better off. Brute force attacks become harder,” he said.
“The route exposed in the article was using Telnet. A protocol that is inherently unsecured against attack. Dare I say it that many of these devices are still using their default passwords from when they were taken out of the box. We saw a spate of IoT based attacks on cameras a few years back using this simple technique – just try the default first.”
Hunter said that organisations should “lock away” the privileged account passwords, change them from their defaults, make them very long and complex (to avoid dictionary attacks) and change them regularly.