Sierra Wireless Mitigations Against Mirai

Thursday, October 13, 2016 @ 03:10 PM gHale

Sierra Wireless company sent out a technical bulletin outlining mitigations to secure Airlink Cellular Gateway devices affected by (or at risk of) the Mirai malware, according to a report with ICS-CERT.

While the Sierra Wireless devices are not a main target of the malware, unchanged default factory credentials, which are publicly available, could allow the devices to end up compromised.

Siemens Mitigates ALM Vulnerabilities
Siemens Clears Information Disclosure Holes
Siemens Fixes SINEMA Server Hole
Insulin Pump Vulnerabilities

In addition, a lower security posture could lead to the device being used in Distributed Denial of Service (DDoS) attacks against Internet web sites. There is evidence that Mirai-infected devices have infected Internet of Things devices, which attackers used in the recent DDoS attacks against the web site Krebs on Security.

This alert is being produced to amplify mitigations outlined by Sierra Wireless, for users of the following products:
• LS300
• GX400
• GX/ES440
• GX/EZ450
• RV50
There is no software or hardware vulnerability undergoing exploitation in the Sierra Wireless devices by the Mirai malware. What remains at issue here is tightening up the configuration management of the device upon deployment.

Sierra Wireless provided the following analysis as an indicator of compromise:

Based on currently available information, once the malware is running on the gateway, it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a DDoS attack on specified targets.

Currently, the best known indicator of the malware’s presence is abnormal traffic on Port 23/TCP as it scans for vulnerable devices. Users may also observe command and control traffic on Port 48101/TCP, and a large amount of outbound traffic if the infected gateway is participating in a DDoS attack.

Because the malware resides only in memory, rebooting the gateway will remove the infection. However, if the gateway continues to use the default ACEmanager password, it will likely become reinfected.

Devices attached to the gateway’s local area network may also be vulnerable to infection by the Mirai malware. Sierra Wireless gateways have a number of features that make these devices remotely accessible.

Sierra Wireless recommended users with the identified products perform the following steps on each gateway:
• Reboot the gateway to eliminate any existing Mirai malware
• Immediately change the ACEmanager password to a secure, unique value.

A user can change the password by either:
• Logging into ACEmanager and navigating to Admin > Change Password


• Remotely changing the password using the AirLink Management Service (ALMS). Click here for the instructions.

If users have multiple gateways and do not currently subscribe to ALMS, they can sign up for a 30-day trial.

Click here for the full Sierra Wireless Technical Bulletin outlining this issue.