Weekly Executive Summary for Week of April 21, 2017

BrickerBot Causing Permanent Denial of Service Attacks on IoT

ICS-CERT has issued an alert on a malware, called BrickerBot, that can cause a permanent denial of service to Internet of Things (IoT) devices.  This poses a serious threat to Industrial Control Systems (ICS) as many of them use Industrial Internet of Things (IIoT) devices.  Any of these devices or components failing within industrial control systems could have catastrophic effects.  

The two version of the malware, BrickerBot.1 and BrickerBot.2, were described in a Radware Attack Report.  BrickerBot.1 was only active for about a week between March 20 and March 25, 2017 and targeted devices running BusyBox with an exposed Telnet command window.  Because of an older version of Dropbear SSH server, they also had SSH exposed.  They also identified as having Ubiquiti network devices with outdated firmware.  

The second version, BrickerBot.2 targeted Linux-based devices, both with and without BusyBox, and which had exposed Telnet services protected by default or hard-coded passwords.  The sources of the attacks were hidden because this version used TOR exit nodes.  Unlike BrickerBot.1, BricketBot.2 is still being used.  Radware found that the device they tested the malware on stopped working completely and could not be restored even with a factory reset.  

ICS-CERT is trying to identify all the vendors of the affected devices and create mitigations against the attacks.  Until the list is complete, Radware and ICS-CERT have advice for users to try and protect their devices:

• Change the device’s factory default credentials.
• Disable Telnet access to teh device.
• Use network behavioral analysis to detect anomalies in traffic and combine with automatic signature generation for protection.
• Set intrusion protection systems (IPS) to block Telnet default credentials or reset telnet connections.  Use a signature to detect the provided command sequences.
• If using Ubiquiti Network devices, update to the latest firmware.

ICS-CERT’s alert on BrickerBot also recommends that “asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.”

Technical Details on BrickerBot: UHWO CSCC Forensics Summary – BrickerBot

Sources: ICS-ALERT-17-102-01A (ICS-CERT) ICS-CERT Warns of BrickerBot’s IoT Device Damaging Capabilities (Security Week), “BrickerBot” Results in PDoS Attack (Radware)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu