The author of BrickerBot, the malware designed to infect and take down insecure Internet of Things (IoT) connected devices, claims that the malware has so far taken down as many as two million devices.
A vigilante ‘grey hat’ hacker going by the moniker Janitor on the Hack Forums discussion boards claims to have authored the malware, which was identified earlier this month by security researchers at Radware.
“BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH, and brute force Telnet,” according to an alert circulated just last week by the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In other words, when the malware finds an exposed device, it writes the flash storage of the devices with junk, rendering them useless and requiring a firmware reinstall in order to bring them back to life. However, in many cases, the firmware is difficult to procure, meaning that the devices need to be replaced altogether.
ICS-CERT has advised organisations to audit their devices and to disable SSH and Telnet access to any devices, as well as ensuring that default passwords are updated, if they haven’t been already.
ICS-CERT claims that it is putting together a database of potentially affected devices “in order to collect product-specific mitigations and compensating controls”. Its advisory also describes the difference between the two variants of BrickerBot:
- BrickerBot.1 targets devices running BusyBox with an exposed Telnet command window. These devices also have SSH exposed through an older version of Dropbear SSH server. Most of these devices were also identified as Ubquiti network devices running outdated firmware. BrickerBot.1 was active for just five days in March, according to Radware, and attacks from this malware have now ceased;
- BrickerBot.2 targets Linux-based devices which may or may not run BusyBox, and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes.
The link between the Hack Forums contributor Janitor and the malware was suggested by the IT website Bleepingcomputing.com, following a tip-off.
In an email to the website, Janitor justified the creation of the BrickerBot malware by claiming that s/he was taking compromisable devices out of circulation.
“…if somebody launched a car or power tool with a safety feature that failed nine times out of 10 it would be pulled-off the market immediately. I don’t see why dangerously designed IoT devices should be treated any differently and after the Internet-breaking attacks of 2016 nobody can seriously argue that the security of these devices isn’t important.”
They added that BrickerBot would make insecure IoT devices a vendor and manufacturer’s problem, rather than a consumer or security issue.
“I hope that regulatory bodies will do more to penalise careless manufacturers since market forces can’t fix this problem.
“The reality of the market is that technically unskilled consumers will get the cheapest whitelabel DVR they can find at their local store, then they’ll ask their nephew to plug it into the Internet, and a few minutes later it’ll be full of malware. At least with ‘BrickerBot’ there was some brief hope that such dangerous devices could become the merchant’s and manufacturer’s problem rather than our problem.”
Bleepingcomputer.com also suggests that the author of BrickerBot has taken a lot of care to conceal his identity and won’t be easily uncovered.
Computing’s Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists – and secure a table for your team at the Awards – now:
Save this article