THE MAN BEHIND BrickerBot, the malware designed to infect and take down insecure Internet of Things (IoT) connected devices, claims that the malware has so far taken down as many as two million devices.
A vigilante 'grey hat' hacker going by the moniker Janitor on the Hack Forums discussion boards claims to have authored the malware, which was identified earlier this month by security researchers at Radware.
"BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH, and brute force Telnet," according to an alert circulated just last week by the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In other words, when the malware finds an exposed device, it writes the flash storage of the devices with junk, rendering them useless and requiring a firmware reinstall in order to bring them back to life. However, in many cases, the firmware is difficult to procure, meaning that the devices need to be replaced altogether.
ICS-CERT has advised organisations to audit their devices and to disable SSH and Telnet access to any devices, as well as ensuring that default passwords are updated, if they haven't been already.
ICS-CERT claims that it is putting together a database of potentially affected devices "in order to collect product-specific mitigations and compensating controls". Its advisory also describes the difference between the two variants of BrickerBot:
- BrickerBot.1 targets devices running BusyBox with an exposed Telnet command window. These devices also have SSH exposed through an older version of Dropbear SSH server. Most of these devices were also identified as Ubquiti network devices running outdated firmware. BrickerBot.1 was active for just five days in March, according to Radware, and attacks from this malware have now ceased;
- BrickerBot.2 targets Linux-based devices which may or may not run BusyBox, and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes.
The link between the Hack Forums contributor Janitor and the malware was suggested by Bleeping Computer. In an email to the website, Janitor justified the creation of the BrickerBot malware by claiming that s/he was taking compromisable devices out of circulation.
"...if somebody launched a car or power tool with a safety feature that failed nine times out of 10 it would be pulled-off the market immediately. I don't see why dangerously designed IoT devices should be treated any differently and after the Internet-breaking attacks of 2016 nobody can seriously argue that the security of these devices isn't important."
They added that BrickerBot would make insecure IoT devices a vendor and manufacturer's problem, rather than a consumer or security issue.
"I hope that regulatory bodies will do more to penalise careless manufacturers since market forces can't fix this problem.
"The reality of the market is that technically unskilled consumers will get the cheapest whitelabel DVR they can find at their local store, then they'll ask their nephew to plug it into the Internet, and a few minutes later it'll be full of malware. At least with 'BrickerBot' there was some brief hope that such dangerous devices could become the merchant's and manufacturer's problem rather than our problem."
Bleeping Computer also suggests that the author of BrickerBot has taken a lot of care to conceal his identity and won't be easily uncovered.
Another week of Google news in brief
It was nice knowing you, sort of
Third time unlucky
Customers are unable to make payments or transfer money