Another IoT botnet found waiting to attack vulnerable IP cameras
Researchers discovered yet another IoT botnet.
Researchers at Trend Micro found that 120,000 Internet Protocol (IP) cameras are vulnerable to attack. IP cameras use the internet to transmit footage, and therefore are most vulnerable.
The botnet, Persirai, came into being just a few months after the Mirai botnet. Miriai compromised thousands of CCTV cameras and DVRs. Persirai targeted more than a thousand models of IP camera.
Mirai used a brute-force login technique with the intention to steal credentials. Persirai uses a zero-day vulnerability in which the worm gets the password from the user.
Because they are connected to the web, IP cameras are particularly vulnerable to such attacks. “IP cameras typically use Universal Plug and Play (UPnP), making them highly visible targets for IoT malware,” Trend Micro researchers Tim Yeh, Dove Chiu, and Kenney Lu note.
As described in a Trend Micro blogpost, after the botnet gets into the victim’s camera, the attacker is then able to perform a DDoS attack on other computers. The attacker gets the IP address from the port and from there can launch DDoS attacks on any IP in the world. This is how the botnet spreads from camera to camera, stealing credentials along the way.
Jon Clay of Trend Micro says that the use of this zero-day vulnerability means Persirai will continue to be a threat. The malware erases itself once the target machine has been infected, and will only run in memory. This makes it harder to detect once it’s gone.
“Attackers behind this are likely to continue and pursue other vulnerabilities, and look for other IoT devices that have similar vulnerabilities associated with them,” Clay explains. “The attacker can build a bigger, or separate, botnet focused on those devices.”
“Mirai taught us that it doesn’t take a lot of devices to cause a massive DDoS attack,” Clay continues. “With more than 100,000 IP cameras left vulnerable, there is a high risk of attack.”
What can IP Camera Users do to protect themselves?
“Their devices are going to be used to potentially perform DDoS attacks against other organizations or other people,” he says of potential victims. “You’re unwittingly being used as a pawn in a criminal’s effort.”
IP camera users are advised to stay updated with the latest security patches and strengthen passwords to better resist a brute-force attack. Most users don’t know that their IP cameras are exposed online. Therefore, they don’t change the default password. And, many won’t even know if their IP camera is conducting a DDoS attack.
Manufacturers need to work on improving the login process. They can do this by looking beyond passwords and using biometrics or two-factor authentication. This would strengthen device security, says Clay.