The attack might be trying to kill devices before they can join a botnet

The security firm Radware has isolated, on their honeypots, two variants of a new bot attack targeting Internet of Things devices.

Named BrickerBot, the bot gains access to insecure Linux-based systems by using brute force on telnet using common default root username/password pairs. Once inside it writes random data to any mounted drives, in order to make device totally useless.

Radware named this attack “Permanent Denial-of-Service”.

Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.

Below is the exact sequence of commands that performed by the PDoS bots:

How protect my IoT devices?

Some tips from Radware:

  • Change the device’s factory default credentials.
  • Disable Telnet access to the device.
  • Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
  • User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
  • An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

For an extended technical analysis and more informations, please refers to Radware’s article: