Researchers from Trend Micro have detected a new Internet of Things (IoT) botnet called ‘Persirai’ targeting 1000 internet protocol (IP) cameras.
In a blog post on its website the vendor claimed it had detected 120,000 IP cameras that are vulnerable to ELF_PERSIRAI.A via Shodan. Many of these vulnerable users are unaware that their IP Cameras are exposed to the internet, which makes it significantly easier for the perpetrators behind the malware to gain access to the IP Camera web interface via TCP Port 81, Trend Micro added.
“IP Cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware,” the post reads. “After logging into the vulnerable interface, the attacker can perform a command injection to force the IP Camera to connect to a download site via commands.”
Once commands from the sever have been received, the IP Camera will exploit a zero-day vulnerability to automatically attack other IP cameras, allowing attackers to get the password file from the user, giving them the means carry out command injections regardless of password length.
What’s more, Trend Micro explained that the affected IP Camera receives a command from the C&C server, instructing it to perform a DDoS attack on other computers via User Datagram Protocol (UDP) floods. Notably, Persirai can perform User Datagram Protocol (UDP) DDoS attack with SSDP packets without spoofing IP address. Trend Micro found that the C&C servers were using the .IR country code, managed by an Iranian research institute which restricts it to Iranians only and some special Persian characters which the malware author used.
As a large number of these types of attacks are caused by the use of the default password in the device interface, Trend Micro urged users to change their default password as soon as possible and use a strong password for their devices, although a strong password alone does not guarantee device security.
IP Camera owners should also implement other steps to ensure that their devices are protected from external attacks. In addition to using a strong password, users should also disable UPnP on their routers to prevent devices within the network from opening ports to the external Internet without any warning, the firm advised.
“The burden of IoT security does not rest on the user alone – it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits,”