Following in the footsteps of the now-infamous Mirai, the Persirai internet of things (IoT) botnet has been discovered enslaving 120,000 IP cameras and counting.
According to Trend Micro, the botnet targets more than 1,000 different camera models; and many of the vulnerable users are unaware that their gadgets are exposed to the internet. As a result, far too many of them are using the default passwords they shipped with, making it significantly easier for the perpetrators behind Persirai to gain access to the IP camera web interface via TCP Port 81.
However, the botnet also adds new password-protected IP cameras by exploiting a zero-day vulnerability that was made public a few months ago. Enslaved cameras will attack others using this flaw, eventually retrieving the password file from the user and gaining the means to do command injections regardless of password strength.
Once logged into the camera interface, the attacker can perform a command injection to force the IP camera to connect to a download site to receive malicious code, completing its assimilation into the bot. From there, the IP camera is ready to perform a DDoS attack on other computers via UDP floods.
Interestingly, Persirai uses Mirai’s open-source code as its core template, and its authors appear to be situated in Iran. Hence, the name “Persirai.”
“The C&C servers we discovered were found to be using the .IR country code,” Trend Micro researchers explained in an analysis. “This specific country code is managed by an Iranian research institute, which restricts it to Iranians only. We also found some special Persian characters which the malware author used.”
As far as mitigation, users should change their default password as soon as possible and use a strong password for their devices. Given the password-stealing vulnerability mentioned above, camera owners should also disable universal plug-and-play on their routers to prevent devices within the network from opening ports to the external internet without any warning.
“The burden of IoT security does not rest on the user alone—it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated,” the researchers added. “In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits.”