A new botnet that uses the same exploit vector as Mirai is targeting unsecured internet of things (IoT) devices, and its intent is mayhem. It essentially bricks the targets by causing widespread damage.
The Bricker Bot is a fast-moving bot attack designed to cause a state of permanent denial of service, or PDoS, according to Radware, which uncovered it. Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage. A second, similar bot launched 333 PDoS attempts on the same date, with lower intensity but using identical methods; and its location was concealed by Tor egress nodes.
“Also known loosely as phlashing in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware,” researchers explained, in an analysis. “By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.”
In this case, the Bricker Bot PDoS attack used Telnet brute force—the same exploit vector used by Mirai—to breach a victim’s devices. Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt internet connectivity, device performance and the wiping of all files on the device.
The PDoS attempts originated from a limited number of IP addresses spread around the world.
“Most of the devices were identified by Shodan as Ubiquiti network devices; among them are access points and bridges with beam directivity,” the researchers noted.
To protect oneself, users should always change the device’s factory default credentials; and should disable Telnet access to the device.