BrickerBot

BrickerBot is malware that targets Linux-based IoT devices running the BusyBox toolkit that have their Telnet ports open and publicly exposed. It conducts brute force attacks against the devices by using a list of known default credentials. This is similar to the attack vector conducted by the Mirai botnet. Once BrickerBot gains access to a vulnerable device, it conducts a Permanent Denial-of-Service (PDoS) attack by deploying a set of Linux commands designed to corrupt storage, disrupt internet connectivity, and delete all of the device's files. It writes random bits to the storage drives, rendering the device's flash storage unusable, disables TCP timestamps which hampers internet connectivity, stops all kernel operations, and then reboots the device. Within seconds of becoming infected, the targeted device will stop working, leaving the victim with only two options: reinstall the firmware or replace the device.

Cybersecurity firm, Radware, discovered Brickerbot when 1,895 PDoS attempts were made on the firm's honeypot over a four-day period starting on March 20, 2017. Radware noted two BrickerBot variants - BrickerBot.1 and BrickerBot2. Attacks from BrickerBot.1 originate from IP addresses all across the globe and they appear to be assigned to Ubiquiti network devices running an older version of the Dropbear SSH server. BrickerBot.2 is a more advanced version of the malware. It executes additional commands and the source of the attacks are difficult to trace as the traffic is masked by Tor exit nodes.

Since there are no ransom demands associated with BrickerBot, researchers believe the developer behind the malware created it with the goal of destroying insecure IoT devices. To protect vulnerable IoT devices from botnet attacks and exploitation:

  • Keep device firmware updated.

  • Change the device's default login credentials. Use passwords that are lengthy, complex, and secure.

  • Consider implementing a two-factor authentication (2FA) solution to control and authenticate login sessions.

  • Disable unneeded Telnet access.

UPDATE 07/31/2017: The developer of the malware that powers this botnet claimed responsibility for over 60,000 modems and routers located in India losing internet connectivity. Indian telecommunications company, BSNL, reported that this attack impacted users who did not change their modems' default login credentials. The developer pinned the attack's success on ISPs leaving port 7547 (TR069) open and accessible on their modems. Once the impacted ISPs began filtering access to port 7547, researchers noted a sharp decrease in exposed and vulnerable devices.

Reporting:

  • April 2017: New Malware Intentionally Bricks IoT Devices (Bleeping Computer)

  • April 2017: BrickerBot Permanent Denial-of-Service Attack (ICS-CERT)

  • July 2017: BrickerBot Dev Claims Cyber-Attack that Affected over 60,000 Indian Modems (BleepingComputer)

Technical Details:

  • April 2017: "BrickerBot" Results in Permanent Denial-of-Service (Radware)

  • April 2017: BrickerBot.3: The Janit0r Is Back, with a Vengeance (Radware)

UPDATE 06/26/2019: Silex, A new strain of BrickerBot, is spreading through IoT devices. Approximately 4,000 devices were bricked within a six-hour window. This malware, according to the developer, was designed to infiltrate poorly protected IoT devices, primarily Linux and other Unix-like systems, that were utilizing factory default credentials. According to security researcher Larry Cashdollar, Silex begins the attack by destroying an IoT device's storage and network configuration, dropping firewall rules, and ultimately halting the device as it moves on to its next victim. Users can recover systems by reinstalling the device’s firmware.

Technical Details:

  • June 2019: New Silex Malware Trashes IoT Devices Using Default Passwords (Bleeping Computer)