A large-scale attack caused by the BrickerBot malware affected over 60 000 Internet devices in several states in India. This is a follow-up campaign that is operated by security criminals to take down IoT devices worldwide.
BrickerBot Malware Strikes Again: Hits Over 60 000 India Devices
Malware experts detected a large-scale attack campaign in India that was able to take down a large number of devices in India. The hacker operators were able to take down many Internet gateways, routers and modems in several states of the country in a short period of time. The statistics shows that the BrickerBot attack has been successful in disabling over 60 000 devices so far. The released information shows that customers of two telecommunications providers Bharat Sanchar Nigam Limited (BSNL) and Mahanagar Telephone Nigam Limited (MTNL) are affected.
The attack campaign was detected to have been in operation between July 25 and July 29 when users of the two companies reported loss in connectivity. It has been found that the BrickerBot malware was responsible for the incident. The attacks were detected both by security specialists and the telecom companies. The BrickerBot campaigns follow a predefined behavior pattern that is tweaked slightly to reflect the target devices. An example execution chain goes through the following actions:
- Infiltration ‒ Occurs at the time of infection. The BrickerBot malware is activated and performs a brute-force attack using either a set of default device credentials or a dictionary-based brute force to gain access to the targets.
- Misconfiguration — The main goal of the malware is to cause a device malfunction by misconfiguring key settings. Depending on the attained version and target BrickerBot may launch different commands. The malware starts to write random data to the connected removable storage which effectively deletes all files by corrupting them. Internet connectivity problems are caused by modifications of an important network settings value. Performance is affected by limiting the kernel threads to a single only.
- Forced Reboot — The final stage of the attack reboots the devices. As the system has been heavily affected by the Brickerbot malware it is rendered in a “bricked” device.
Such attacks have been labeled as PDoS, an abbreviation of Permanent Denial of Service, also called “phlashing”.
BrickerBot Malware: An Effective IoT Device Destroyer
The BrickerBot attack campaign was able to take down about 45% of all broadband connections of one of the providers. The caused serious disruptions to the affected states, consequently causing problems for a limited time to the backbone as well.
Campaigns such as this one showcase how a criminal collective can cause serious problems to predefined targets in a well-concentrated attack. A sizable amount of the affected users were ones that did not changed the default credentials of the telecom-supplied routers and modems. This allowed practically any dictionary-based script to launch automated attacks and break into the target networks.
The intrusion was done over port 7547 which is responsible for the TR069 protocol used for administrative purposes and remote management. For unknown reason the ports were available for anyone to exploit. After the first attacks were reported the service providers filtered the ports which effectively shut down the attacks.
The BrickerBot Attacks Server as a Warning for Upcoming Trouble
The BrickerBot malware attacks are relatively simple to execute as they used a basic vulnerability found on many devices worldwide. The fact that hacker collective behind it were successful shows that Internet service providers do not take basic security seriously. Executed on a larger scale such malware attacks can cause massive damage to Internet connectivity and critical device disruptions worldwide.
To protect from possible intrusions system administrators can employ the following steps:
- Change the default device credentials.
- Remote control access should be disabled. The Telnet protocol is the one responsible for the network protocol intrusion attempts which is one of the most commonly used ways to manage remote devices.
- Network administrators can enforce an intrusion detection system to detect suspicious traffic and protect the hosts using automatic means.
We advice all users to use a free malware protection solution to scan their computers of any threats. BrickerBot or another virus may have infiltrated parts of your network and can drop spyware to the available computers. By using the product computer users can ensure that they are well-protected and all found infections can be easily removed with only a few mouse clicks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: