BrickerBot

BrickerBot is malware that targets Linux-based IoT devices running the BusyBox toolkit that have their Telnet ports open and publicly exposed. It conducts brute force attacks against the devices by using a list of known default credentials. This is similar to the attack vector conducted by the Mirai botnet. Once BrickerBot gains access to a vulnerable device, it conducts a Permanent Denial-of-Service (PDoS) attack by deploying a set of Linux commands designed to corrupt storage, disrupt internet connectivity, and delete all of the device's files. It writes random bits to the storage drives, rendering the device's flash storage unusable, disables TCP timestamps which hampers internet connectivity, stops all kernel operations, and then reboots the device. Within seconds of becoming infected, the targeted device will stop working, leaving the victim with only two options: reinstall the firmware or replace the device.

Cybersecurity firm, Radware, discovered Brickerbot when 1,895 PDoS attempts were made on the firm's honeypot over a four-day period starting on March 20, 2017. Radware noted two BrickerBot variants - BrickerBot.1 and BrickerBot2. Attacks from BrickerBot.1 originate from IP addresses all across the globe and they appear to be assigned to Ubiquiti network devices running an older version of the Dropbear SSH server. BrickerBot.2 is a more advanced version of the malware. It executes additional commands and the source of the attacks are difficult to trace as the traffic is masked by Tor exit nodes.

Since there are no ransom demands associated with BrickerBot, researchers believe the developer behind the malware created it with the goal of destroying insecure IoT devices. To protect vulnerable IoT devices from botnet attacks and exploitation:

  • Keep device firmware updated.
  • Change the device's default login credentials. Use passwords that are lengthy, complex, and secure.
  • Consider implementing a two-factor authentication (2FA) solution to control and authenticate login sessions.
  • Disable unneeded Telnet access.

UPDATE 07/31/2017: The developer of the malware that powers this botnet claimed responsibility for over 60,000 modems and routers located in India losing internet connectivity. Indian telecommunications company, BSNL, reported that this attack impacted users who did not change their modems' default login credentials. The developer pinned the attack's success on ISPs leaving port 7547 (TR069) open and accessible on their modems. Once the impacted ISPs began filtering access to port 7547, researchers noted a sharp decrease in exposed and vulnerable devices.

Reporting:

  • April 2017: New Malware Intentionally Bricks IoT Devices (Bleeping Computer)
  • April 2017: BrickerBot Permanent Denial-of-Service Attack (ICS-CERT)
  • July 2017: BrickerBot Dev Claims Cyber-Attack that Affected over 60,000 Indian Modems (BleepingComputer)

Technical Details:

  • April 2017: "BrickerBot" Results in Permanent Denial-of-Service (Radware)
  • April 2017: BrickerBot.3: The Janit0r Is Back, with a Vengeance (Radware)