When threat actors see a good thing they’re not shy about piling on. Unsecure IP-connected surveillance cameras are a good example.
According to a blog today from Trend Micro researchers there are four malware families in the wild now targeting these devices, each trying to build the biggest Internet of Things botnet.
The financial opportunity is big enough that their code includes capabilities that attempt to block their competitors.
The most recently discovered of the quartet is what Trend Micro calls Persirai, which targets over 1,000 camera models. Through Shodan and research the authors believe 64 per cent of tracked IP cameras in four countries, including the U.S., with custom http servers are infected with Persirai.
Graphic from Trend Micro
Just over half of the cameras in the U.S. that Trend Micro looked at had been infected by at least one of the malware.
What is concerning about Persirai is that allows attackers to bypass authentication and get the admin password.
“One interesting feature of Persirai is that when it compromises an IP camera, that camera will start attacking others by exploiting three known vulnerabilities,” the blog says. More detail on Persirai can be found here.
Arguably the most well known of the malware is Murai, which last year was behind the biggest distributed denial of service (DDoS) attack seen so far, with one flood peaking at 623 Gbps.
The other way of getting around a defence uses a shared “Google reCAPTCHA response” token, as sketched in the Trend Micro graphic below.
Graphic from Trend Micro
When the bot sends a request to the command and control URL and gets a valid (shared) Google reCAPTCHA response token it sends a request with the token to the validator URL and gets two valid cookies. With the information, the bot attempts to bypass DDOS protection.
Finally, there is malware called TheMoon, first discovered by SANS ICS in 2014, whose authors continues to upgrade attack methods and target new vulnerabilities.
“Many of these attacks are caused by a simple issue: the use of default passwords in the device interface,” says Trend Micro. “As soon as possible, IP camera users should change their passwords and follow best practices for creating a strong password—use at least 15 characters, with both uppercase and lowercase letters, numbers, and special characters.
IP camera owners should also disable Universal Plug and Play on their routers to prevent devices within the network from opening ports to the external Internet without any warning, says the column.