Kaiji malware spawns ‘army’ of Internet of Things devices after gaining root access

News by Andrew McCorkell

New details emerge after security researchers discovered another strain of malware specifically built to infect smart IoT devices and Linux-based servers.

Malware called Kaiji has been abusing systems to launch DDoS attacks and is very different from other IoT malware strains, found researchers at Intezer Labs.

Kaiji is written in the Go programming language, rather than C or C++, which are the two languages in which most IoT malware has been coded most recently.

Boris Cipot, senior security engineer at Synopsys, said that Kaiji spreads by first finding exposed SSH ports on IoT devices and Linux Servers on the internet, before it then tries to gain root access to those devices with Brute Force. 

“Once Kaiji has root access on the device, it will start spreading to other devices,” Cipot said.

“It will also collect all SSH keys of other devices that are managed, or were managed, by this root user and infect them as well. Kaiji is then manipulated to perform DDoS (Distributed Denial of Service) attacks on the issuer’s targets.  

"While Kaiji is already a highly developed malware, it continues to evolve. Therefore, there is no saying what this malware could do next.”

Kaiji and similar types of malware, thrive off the recklessness and lack of security knowledge among some IoT manufacturers, Cipot said.

Many devices that are commonly available on the market have “misconfigured security settings, exposed communication ports” with even hardcoded or preset usernames and passwords, while many backend servers are hackable, he added.

“All this then puts the IoT users at risk. The users trust the manufacturer to ensure that devices are secure and safe to use.

“They trust that their devices are protecting their privacy. However, many users often do not understand what the threat is. Therefore, they unknowingly leave settings on that expose them to a cyber-attack.”

Adam Palmer, chief cybersecurity strategist at Tenable said the malware could potentially spawn an ‘army’ of IoT devices.

Palmer said: "Attackers are looking to harness cheap computational power, whether it’s to launch DDoS attacks or mine for Bitcoin as is often the case. With IoT devices firmly in the crosshairs of criminals, it is imperative that the flaws exploited by criminals are identified by the device manufacturers. 

“Where possible, updates should be pushed to patch flaws and prevent this unwilling army of IoT rising up and doing their attackers bidding."

He said there were instances of IoT devices recruited into botnets and then used to launch DDoS attacks, and pointed to the Mirai botnet in 2016 that saw huge swathes of the internet knocked offline.

"One concern in these cases is that it may be especially difficult to determine if a device has been affected,” he said.

A member of the public might not monitor device activity to identify increased traffic, recognise an impact in the device’s performance, or experience reduced battery life, Palmer added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews