Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Persirai IoT Malware Exploits CVE-2017-8224, Known Vulnerabilities

A researcher has found multiple vulnerabilities in Wireless IP Camera (P2P) WIFICAM cameras and also flaws in custom HTTP server. More specifically, more than 100,000 Internet-connected cameras are prone to attacks by a new IoT malware dubbed Persirai. The malware is spreading via the vulnerabilities in these cameras.

Persirai Malware Observed by Researchers

According to security researcher Pierre Kim, the flaws could allow an attacker to perform remote code execution to hijack the cameras. The researcher reported the vulnerabilities to the vendor in March.

Related: Your Linksys Smart Wi-Fi Router Model Could Be Vulnerable

Exploited Vulnerabilities in Persirai Attacks

Unfortunately, the researcher says that the wireless IP Camera (P2) WIFICAM is full of flaws, as well as plenty of other Chinese cameras. Even though the cameras are sold under different names, brands and functions, they share the same vulnerabilities. Basically, the OEM vendor used a custom version of GoAhead and included the vulnerable code inside.

Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE),which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.

Here is the list of flaws:

CVE-2017-8224 – Backdoor account
CVE-2017-8222 – RSA key and certificates
CVE-2017-8225 – Pre-Auth Info Leak (credentials) within the custom http server
Authenticated RCE as root
Pre-Auth RCE as root
CVE-2017-8223 – Misc – Streaming without authentication
CVE-2017-8221 – Misc – “Cloud” (Aka Botnet)

It appears that at least 1,250 camera models produced by the Chinese are prone to attacks based on the vulnerabilities above.

What is worse is that TrendMicro has reported a new malware family that is being spread via the bugs in these products. The company says that approximately 120,000 cameras are open to Persirai attacks via Shodan, the search engine for IoT devices.

Similarly to other IoT malware, Persirai is infecting the cameras to form a botnet. DDoS attacks are likely to follow.

In addition, another security company, Qihoo 360, has also observed Persirai attacks and estimates that 43,621 cameras in China are infected with it.

Another IoT worm was also recently discovered by researchers. The Hajime worm has stealthier capabilities than Mirai, and is more advanced than its predecessor. After the initial infection the threat would take several steps to hide its running processes as well as its files on the file system.

Related: Security Tips for Configuring IoT Devices

Furthermore, the operator of the worm can open a shell script to any infected device in the network at any time. Researchers say that its code is modular meaning that new capabilities can be added in the go.

At the time of the discovery, Hajime didn’t have DDoS capabilities but this could quickly change. Researchers discovering new IoT malware at this rate only means one thing – the Iot attack landscape is about to get even worse.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.