New Bot Called Persirai Is Recruiting IoT Devices’ Cameras

Posted on May 11, 2017 at 1:10 PM

New Bot Called Persirai Is Recruiting IoT Devices’ Cameras

The researchers of Trend Micro have discovered yet another threat, and this time, it’s another IoT disaster. According to them, a new botnet, called Persirai has managed to recruit over 1,000 IP camera models. This new discovery reminded everyone directly of the similar case that happened last year, when Mirai did the same thing, only with CCTV’s and DVR’s. It then proceeded to use them as a part of its botnet and launch a series of DDoS attacks.

This botnet, Persirai, has already managed to get 1,000 cameras, and the researchers have found over 120,000 more of them that are susceptible to becoming a part of this threat. It’s believed that the owners of the enlisted devices probably aren’t even aware of this fact. This only helps the attacker and grants them easier access to the camera’s web interface. To access it, the hacker uses TCP port 81.

The researchers have said that “IP cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act as a server, making them highly visible targets for IoT malware.”

Once the attacker gets access to the exposed interface, they proceed to download and execute shell scripts that’ll make the device a part of a botnet. It can even receive new commands from remote servers and help out with creating a botnet by attacking other cameras through the recently discovered zero-day vulnerability. As the researchers explained, this will allow attackers to siphon out any of the password files, and also equip them with what they need so that they could command injections with little regard to the password strength.

Unfortunately, that’s still not it, and afterward, the commands that are sent to the device could order it to launch a series of DDoS attacks on other devices. Analysis has managed to track down one such server, and discover that it’s located in Iranian research institute. Persian characters are also detected in the malware itself.

Since the Mirai code was open to the public, there have been many attempts like this, where the hackers would modify it and use it in their own cyber attacks. This is not a new thing. However, there is one important difference in this case, and that’s the use of zero-day vulnerabilities, that are used to obtain device’s password. while Mirai used brute force for such tasks.

Still, it’s obvious that the hackers responsible are aware of the easiest way to obtain login credentials, and that they’ll most likely continue to use these vulnerabilities. The scientists warned that it’s entirely possible that the attackers might completely give up on NTP and DNS server-based attacks, and instead simply use the IoT devices with weak security. If the users don’t change their default passwords, it’s easy for hackers to gain access.

However, that might not be enough anymore. Researchers suggest that users should disable uPnP on the routers, and prevent devices from the network to open ports without warning. These attacks should influence the users to update their security, or at least do as much as change login credentials. The best would be to move to two-factor authentication, where possible. Also, manufacturers are advised to make it possible wherever they can, in order to increase the safety of their consumers.

Related Stories: