A new malware named as "Mirai" targeting Internet of Things (IoT) devices such as printers, video camera, routers, smart TVs is spreading.The malware is capable of scanning the network devices or Internet of Things and try to compromise these systems especially those protected with defaults credentials or hardcoded username passwords.
The malware is capable of performing the following function:
- Compromise IoT systems with default username and passwords
- Create botnets of the compromised devices.
- Use compromise devices to launch DDoS attacks.
- Make network connections to receive commands from launch further attacks.
Indicators of compromise:
- Abnormal traffic on port 2323/TCP and 23/TCP as it scans for vulnerable devices.
- Command and Control Network traffic on port 48101/TCP.
- Huge outbound traffic if the device is part of DDoS attack.
When the malware runs, it turns the infected system into a bot connecting to a C&C server. Bot infected systems are connecting to the C&C Servers on specific ports and listen for commands from remote attacker. In view of the high damage potential of Botnet infected machines, the customers are requested to disinfect their systems and take appropriate countermeasures suggested below to prevent such incidents in future.
Countermeasures for securing IOT devices:
- Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords.
- Always change Default login credentials before deployment in production.
- Change default credentials at device startup and ensure that passwords meet the minimum complexity.
- Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
- Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Control access to the devices with Access List.
- Configure devices to "lock" or log out and require a user to re-authenticate if left unattended.
- Identify systems with default passwords and implement abovementioned measures. Some the systems that need to be examined are Routers, switches,web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces.
- Implement account lockout policies to reduce the risk of brute forcing attacks.
- Telnet and SSH should be disabled on device if there is no requirement of remote management.
- Configure VPN and SSH to access device if remote access is required.
- Configure certificate based authentication for telnet client for remote management of devices.
- Implement Egress and Ingress filtering at router level.
- Report suspicious entries in Routers to your Internet Service Provider.
- Keep up to date Antivirus on the computer system.
- Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
- Unnecessary port and services should be stopped and closed.
- Logging must be enabled on the device to log all the activities.
- Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.