Security researchers have discovered a new Internet of Things (IoT) botnet dubbed Persirai targeting more than 1,000 different Internet Protocol (IP) camera models. According to Trend Micro, around 120,000 IP cameras are vulnerable to the malicious malware with many unsuspecting owners unaware that their devices are exposed to the internet.
The researchers said this makes it easier for the attackers behind the new malware to infiltrate the IP camera's web interface via TCP Port 81.
"IP cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware," the researchers wrote in a blog post on Tuesday (9 May).
Once a hacker logs into the vulnerable device's interface, the attacker can then perform a command injection to force the IP camera to connect to a download site to issue commands that download and execute malicious shell scripts.
After the samples are downloaded and executed, the malware deletes itself and runs only in memory, the researchers said. It also blocks the zero-day exploit to prevent other bad actors from targeting the infected IP camera.
The camera will then report to remote C&C servers, receive commands and automatically start attacking other IP cameras as well by exploiting a recently disclosed zero-day vulnerability.
"Attackers exploiting this vulnerability will be able to get the password file from the user, providing them the means to do command injections regardless of password strength," the researchers said. "The IP camera will then receive a command from the C&C server, instructing it to perform a DDoS attack on other computers via User Datagram Protocol (UDP) floods."
The researchers said the C&C servers were found to be using the .IR address code.
"This specific country code is managed by an Iranian research institute which restricts it to Iranians only," Trend Micro said. "We also found some special Persian characters which the malware author used."
The researchers pointed out that Mirai's "open-source nature gave it the potential to act as the core template upon which future IoT-centric malware will be built upon".
"As the Internet of Things gains traction with ordinary users, cybercriminals may choose to move away from Network Time Protocol (NTP) and Domain Name System (DNS) servers for DDoS attacks, instead concentrating on vulnerable devices — an issue compounded by users that practise lax security measures," the researchers warned. "A large number of these attacks were caused by the use of the default password in the device interface."
Trend Micro advises users to change their default passwords to stronger ones as soon as possible. To address the password-stealing vulnerability in IP cameras, users should disable UPnP on their routers to "prevent devices within the network from opening ports to the external internet without any warning".
"The burden of IoT security does not rest on the user alone," the researchers said. "It's also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimise the chance of vulnerability exploits."