BrickerBot is malware that targets Linux-based IoT devices running the BusyBox toolkit that have their Telnet ports open and publicly exposed. It conducts brute force attacks against the devices by using a list of known default credentials. This is similar to the attack vector conducted by the Mirai botnet. Once BrickerBot gains access to a vulnerable device, it conducts a Permanent Denial-of-Service (PDoS) attack by deploying a set of Linux commands designed to corrupt storage, disrupt internet connectivity, and delete all of the device's files. It writes random bits to the storage drives, rendering the device's flash storage unusable, disables TCP timestamps which hampers internet connectivity, stops all kernel operations, and then reboots the device. Within seconds of becoming infected, the targeted device will stop working, leaving the victim with only two options: reinstall the firmware or replace the device.
Cybersecurity firm, Radware, discovered Brickerbot when 1,895 PDoS attempts were made on the firm's honeypot over a four-day period starting on March 20, 2017. Radware noted two BrickerBot variants - BrickerBot.1 and BrickerBot2. Attacks from BrickerBot.1 originate from IP addresses all across the globe and they appear to be assigned to Ubiquiti network devices running an older version of the Dropbear SSH server. BrickerBot.2 is a more advanced version of the malware. It executes additional commands and the source of the attacks are difficult to trace as the traffic is masked by Tor exit nodes.
Since there are no ransom demands associated with BrickerBot, researchers believe the developer behind the malware created it with the goal of destroying insecure IoT devices. To protect vulnerable IoT devices from botnet attacks and exploitation:
- Keep device firmware updated.
- Change the device's default login credentials. Use passwords that are lengthy, complex, and secure.
- Consider implementing a two-factor authentication (2FA) solution to control and authenticate login sessions.
- Disable unneeded Telnet access.
- April 2017: New Malware Intentionally Bricks IoT Devices (Bleeping Computer)
- April 2017: BrickerBot Permanent Denial-of-Service Attack (ICS-CERT)