Digital security company Radware has uncovered a new form of denial-of-service attack that can completely disable any internet-connected device it infiltrates at the hardware level.
Known as ‘BrickerBot’, the malware has been classified as a ‘Permanent Denial-of-Service (PDoS) attack’, which is becoming increasingly popular this year, according to Radware.
The company describes PDoS as “an attack that damages a system so badly that it requires replacement or reinstallation of hardware.”
By exploiting security flaws and misconfigurations, it can “destroy the firmware and/or basic functions of system,” Radware adds in a threat advisory report.
Radware detected this new strain of malware via a honeypot it established, which recorded 1,895 PDoS attempts from various locations around the world over a four-day period.
Two forms of BrickerBot were discovered. BrickerBot.1 is a short-lived bot whose sole purpose is to compromise IoT devices and corrupt their storage.
BrickerBot.2 worked similarly to BrickerBot.1 with “lower intensity”, but is more thorough in its destructive potential. Furthermore, BrickerBot.2 uses TOR egress nodes to conceal its originating locations.
Both bots work similarly to Mirai in their use of Telnet brute force to breach Linux and BusyBox-based IoT devices which have open and exposed Telnet ports. Unlike Mirai, however, both BrickerBot instances do not download a binary, meaning a complete list of credentials used by the malware wasn’t accessible by Radware.
Once access to a device is achieved, BrickerBot.1 executes a series of Linux commands to do the following:
- Corrupts SD card and flash-based storage
- Disrupts internet connectivity by disabling TCP timestamps, removing any existing firewall and NAT rules, and adds a single rule to drop all outgoing packets
- Negatively impacts device performance by restricting the max number of kernel threads to one (typically in the tens of thousands for ARM processor-based devices, for example), and
- Deletes all files stored on the device.
BrickerBot.2 works similarly to BrickerBot.1 but has the potential to impact a wider range of storage methods used within IoT devices.
Radware recommends a number of countermeasures to protect IoT devices and secure networks from this emerging threat:
- Change the devices’ factory default credentials.
- Disable Telnet access to the devices
- Use Network Behavioural Analysis to detect anomalies in traffic and combine with automatic signature generation for protection
- Use User/Entity behavioural analysis (UEBA) to spot granular anomalies in traffic early
- Use an Intrusion Prevention System (IPS) to block Telnet default credentials or reset telnet connections
Radware also suggests configuring signatures in your IPS to detect the command sequences detected by the firm.