A new malware dubbed Silex has bricked at least 2,000 IoT devices in an ongoing campaign that is expected to intensify in the coming days.
In the early hours of 25 June, Akamai researcher Larry Cashdollar first spotted the malware targeting Unix-based systems with default credentials and trashing the device’s storage, dropping its firewall rules, removing the network configurations, and halting the device.
Victims can recover their devices by manually reinstalling the device’s firmware, but the task is so complicated for the majority of device owners that many may throw their devices away as they likely won’t understand they have been hit with malware.
Cashdollar told ZDNet the threat actors are using known default credentials for IoT devices to log in and kill the system by entering random data from /dev/random to any mounted storage it finds. The researcher also found the attacks are being carried out from an Iranian server.
With the help of NewSky Security researcher Ankit Anubhav, the publication reached out to the Silex malware author and found the alleged culprit is a 14-year-old going by the pseudonym of Light Leafon.
Light Leafon reportedly created the malware as a joke that developed into a full time project which the young threat actor plans to add more destructive functions such as the ability to log into devices via SSH and the ability to use vulnerabilities to break into devices.
AT&T Alien Labs researcher Chris Doman told SC Media that the malware is obviously inspired by earlier botnet strains.
"Some of the shell script that Silex runs to destroy the IoT device is identical to that used by BrickerBot – it looks like the malware author copied some of the code," Doman said. "Whilst the world could do with less insecure IoT devices connected to the internet, this isn’t the way to fix the problem. Interestingly, the Japanese government has proposed doing something similar."
A recent Japanese amendment allowed government workers to hack into people’s IoT devices as part of an unprecedented survey of unsecured IoT devices. Offensive Security researcher Jim O’Gorman emphasised the importance of keeping the scope of the attack in perspective despite how it may seem.
"The real issue is that manufacturers keep shipping insecure devices." O’Gorman said. "They are time bombs waiting to go off, and in large part we are lucky the worm that goes out is shutting them down rather than using them for worse purposes, like running DDOS attacks or something similar."
O’Gorman added that the bad practice of releasing insecure devices by vendors needs to stop and said companies should invest more into testing and proactive security measures.
Dana Tamir, VP, Market Strategy for Silverfort added that a second authentication factor should also be added to sensitive IoT devices.
"Until today, enterprises looking to layer multi-factor authentication (MFA) on IoT devices struggled to find solutions, but a new generation of agentless MFA solution now enables seamless protection for these devices," Tamir said. "Adding a requirement for a secondary authentication factor is an effective measure to blocks unauthorised logins, and prevents hackers from accessing and destroying the devices."
Anubhav tweeted today (27 June) that the teen hacker has decided to leave the blackhat community. "This 14-year-old codes very well and has an amazing future if he decides to take the correct path," his tweet said.
The original version of the article was published on SC Media US.