A new botnet dubbed Persirai has been detected linking more than 120,000 internet protocol (IP) cameras into a vast internet of things (IoT) botnet.
The discovery comes fresh on the heels of Mirai, which in 2016 similarly enlisted IoT devices – particularly DVRs and CCTV cameras – into a vast botnet to launch DDoS attacks.
Trend Micro researchers detected more than 120,000 IP cameras susceptible to ELF_PERSIRAI.A via Shodan.
Owners of the devices are likely unaware that their device has been enlisted, granting easier access to the miscreants behind the malware to the IP camera's web interface via TCP Port 81.
"IP cameras typically use universal plug and play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware," the researchers said.
Once logged into the exposed interface, the attacker can load a command injection to force the IP camera to connect to a download site whereupon shell scripts can be downloaded and executed.
Commands can then be sent from the remote server and cause the affected device to reach out to attack other IP cameras via a recently revealed zero-day vulnerability.
This will enable attackers to siphon out user password files, equipping them with all they need to do command injections regardless of password strength, the Trend Micro team said.
But it doesn't stop there. Commands are then sent from the C&C server to the device commanding it to launch a DDoS attack on other computers using user datagram protocol (UDP) floods.
Analysis by the researchers pinpointed an .IR address for the remote server, indicating it originated at an Iranian research institute. The team also detected Persian characters used by the malware author.
"With Mirai code being public it has allowed other coders to develop their own versions of a Mirai-like malware, as seen here with Persirai," Jon Clay, director of global threat communications at Trend Micro, said.
"We also regularly see cyber criminals modify their malware, whether to add more features or to improve ability to obfuscate its code."
The main difference with the new bot from previous malware is the use of a zero-day vulnerability that allows the threat actor to obtain the device's password, Clay said. Mirai used brute force credential stealing whereas this uses a exploit to get the device credentials.
The code also indicated that the bad actors behind it understand that the use of an exploit against a vulnerability can allow them to easily obtain account credentials, and will continue to look for and use any new vulnerabilities found within IoT devices, Clay said.
"As the internet of things gains traction with ordinary users, cybercriminals may choose to move away from NTP and DNS servers for DDoS attacks, instead concentrating on vulnerable devices – an issue compounded by users that practice lax security measures," the Trend Micro researchers warned.
As default passwords enable remote attackers to gain access, users are advised to change their default password, ensuring it is robust.
But that might not be enough, the Trend Micro team said. Users also should "disable UPnP on their routers to prevent devices within the network from opening ports to the external internet without any warning".
"This new botnet and malware should be a wake-up call for all IoT device owners and manufacturers to ensure they are regularly updating their devices with any new security patches and to support good login credentials," Clay said.
"Moving to a two-factor authentication model would be a good option to use if it is available, and if not, manufacturers should invest in supporting it within their devices."