‘BrickerBot’ Permanent DoS Attack

Wednesday, April 12, 2017 @ 01:04 PM gHale

There are open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS), according to a report with ICS-CERT.

This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, ended up described in a Radware Attack Report (‘BrickerBot’ Results In PDoS Attack).

Cisco Finds Moxa Vulnerabilities
Schneider Limits Modicon Holes
Certec EDV Clears Scada Holes
Schneider Clears SCADA Software Issue

ICS-CERT is working to identify vendors of affected IoT devices in order to collect product-specific mitigations and compensating controls. ICS-CERT issuing an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

This bot attack is designed to render a connected device useless by causing a PDoS, or “bricked,” state, according to Radware. BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords and brute force Telnet or exposed Port 22/SSH.

According to open source reporting, the following details regarding BrickerBot.1 and BrickerBot.2 are available:
• BrickerBot.1 targets devices running BusyBox with an exposed SSH command window and an older version of Dropbear SSH server. Most of these devices were also identified as Ubquiti network devices, some of which are access points or bridges with beam directivity.
• BrickerBot.2 targets Linux-based devices which may or may not run BusyBox or use Dropbear SSH server. However, Brickerbot.2 can only access devices which expose a Telnet service protected by default or hard-coded passwords.

ICS-CERT is working to identify vendors of affected devices in order to collect more detailed mitigation information.

Radware recommended taking the following precautions:
• Change the device’s factory default credentials
• Disable Telnet access to the device
• Use network behavioral analysis to detect anomalies in traffic and combine with automatic signature generation for protection
• Set intrusion protection systems to block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences

Leave a Reply

You must be logged in to post a comment.