Security researchers spot Silex malware targeting thousands of IoT devices
A new strain of malware called Silex bricked over 2,000 IoT devices in just three-four hours of its operation on Tuesday, according to a report from ZDNet.
The attacks are only expected to increase in the coming days as they are still ongoing. The malware is said to be copying the behavior of the old BrickerBot malware that compromised more than ten million IoT devices between April and December 2017.
Larry Cashdollar, Akamai security exploit researcher, who first spotted the malware explained that Silex compromises the devices by gaining access to and destroying an IoT device’s storage, drops firewall rules, eradicates the network configuration, and then stops the device completely.
The malware successfully bricks the device, making the user assume that it is completely dead possibly due to a hardware failure and not that they have been infected by malware.
“It’s using known default credentials for IoT devices to log in and kill the system. It’s doing this by writing random data from /dev/random to any mounted storage it finds.
“I see in the binary it’s calling fdisk -l which will list all disk partitions. It then writes random data from /dev/random to any partitions it discovers.
“It’s then deleting network configurations, […] also, it’s [running] rm -rf / which will delete anything it has missed.”
“It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device,” Cashdollar said.
“It’s targeting any Unix-like system with default login credentials. The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.”
Ankit Anubhav, the Principal Security Researcher at NewSky Security, told ZDNet that he found the malware’s creator, “Light Leafon,” who claimed to be a 14-year old teenager and is the leader of the group of three teen-aged hackers.
Also read- The Best Programming Language For IoT?
Light told Anubhav that the malware reportedly created as a joke developed into a full-time project for them. He plans to develop the malware further and add more destructive functions such as the ability to log into devices via SSH and the ability to use flaws to break into devices.
“It will be reworked to have the original BrickerBot functionality,” Light told Anubhav and ZDNet. “My friend Skiddy and I are going to rework the whole bot. It is going to target every single publicly known exploit that Mirai or Qbot load.”
Anubhav calls Leafon “one of the most prominent and talented IoT threat actors at the moment,” who also created HITO, a bot based on the IoT malware Mirai.
In a follow-up conversation with Anubhav, Light said that he is leaving the IoT community because of the attention he was getting. “I am leaving the community because I am getting more attention then I’d like, I never wanted this clout. I will keep coding and doing that but not go further in the IoT community,” he said.