Radware Security Research Team exposes BrickerBot malware that destroys unsecured IoT devices

Radware, vendor of cyber security and application delivery solutions, released this week new research that revealed the existence of a Permanent Denial of Service (PDoS) malware that destroys unsecured Internet of Things (IoT) devices connected to the internet.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a part of the U.S. Department of Homeland Security, subsequently issued their own alert, to provide early notice of Radware’s threat findings and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The PDoS attempts were first revealed in a recently issued Radware ERT Alert.  The attacks are performed remotely using commands that could ultimately corrupt storage, break connectivity and render the device nonfunctional.

The attacks target Linux/BusyBox-based IoT devices connected to the internet. The discovered attacks were using the same exploit vector as Mirai, brute forcing their way in through Telnet.

After Radware released its initial findings, the research team ran real-world tests on IP Cameras that met the target specifications of the attack. After running the BrickerBot malware onto the device, it stopped working completely. Unfortunately, even after performing the factory reset, the camera was not recovered and hence it was bricked.

During the first 12 hours of the attack, a total of 1118 PDOS attempts were recorded. The attacks all originated from a limited number of clear net IP addresses. ZoomEye and Shodan searches based on the source IPs of the attacks revealed all of them running an outdated version of the Dropbear SSH server. The attacks started at 12:00 GMT on April 21st and in its first 12 hours the number of bots performing the attacks grew up to 15 bots.

The devices used to perform the PDoS attacks on Radware’s honeypot do not correspond to the devices from BrickerBot.1. Although BrickerBot.1 was also abusing a limited number of clear net connected devices to perform its attack, there is no immediate correlation between both. For complete disclosure and transparency, the attacks were detected by a different honeypot than the one that detected the BrickerBot.1 and BrickerBot.2 attacks.

The devices that perform the attack are spread around the globe and do not concentrate in a specific region and do not correlate to the locations of the BrickerBot.1 sources. In line with BrickerBot.1 and BrickerBot.2, this bot is also using the Mirai exploit vector to compromise the target. Any ‘busybox’ based Linux device that has Telnet exposed publically and has factory default credentials unchanged are a potential victim.

“We coined it ‘BrickerBot’ because instead of enslaving IoT devices, like Mirai does, it attempts to destroy or ‘brick’ them,” said Pascal Geenens, security evangelist for EMEA Region for Radware and the researcher that discovered the malware. “Most consumers of such devices might never know they were the victim of malware.  Their device would just stop working and the natural inclination is to think its they purchased faulty hardware.”

IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.