Friday, 23 June 2023 11:31

Crypto Mining Malware Targeting Linux and Linux Based IoT Devices Show How Little we have Progressed in IoT Security

Written by

Reading time is around minutes.

IoT (Internet of Things) devices have long been a source of security concerns. Back in 2012-2014 we wrote a series of articles following the comedy of errors that is the IoT market. At the time I dubbed it the Internet of Fails simply because the companies making these internet connected devices were leaving them so open to compromise. Everything from a lack of encrypted communication with cloud services, to no passwords on administrative functions, to using images that had open files and folders in the firmware were found in popular connected products that were shipped to customers. Supply chain compromises were also found in generous quantities, making the mad rush to connect everything a serious concern.

Fast forward to today, 2023 and the situation is not much better. We still hear about companies that are owned because of an improperly secured IoT device or other “smart” product. Sometimes it is because that product was brough in without authorization, but in many cases, it is still the lack of security around the device and a lack of understanding of just how insecure these devices are. It has gotten bad enough that an entire industry has been built around it. Companies like NetRise Inc have popped up to help stem the flood of compromises in this space.

Over the last few months, we have heard about more and more compromises of small Linux-based appliances. Everything from residential and SMB routers and edge devices to light bulbs and Smart TVs have been targeted by attackers. These devices are often not properly secured at multiple levels. In the case of a recent crypto mining malware, the attackers are running a brute force attack looking for misconfigured systems (like many IoT devices). Once they find the right system, they overwrite any existing OpenSSH installations with one they have adapted to their purposes as well as disabling shell history. This “patched” version of OpenSSH is also responsible for installing the shell script that sets up the backdoor. The backdoor allows the attacker to install additional payloads and perform other post-compromise activities.

Some of the post-compromise activities include grabbing rootkits from GitHub (Diamorphine and Reptile) along with clearing activity logs just in case there is a SIEM in play so the attack can remain undetected. Persistent SSH communication is established via two public keys in the authorized_keys configuration files for all users identified on the targeted device. Interestingly enough the malware also checks for any other mining operations and disables and removes them to ensure its own crypto mining has the most resources available. Researchers also identified an IRC bot, which has been modified, in use on infected devices. The IRC bot appears to be based on ZiggyStarTux and while normally a DDoS client, it might be used for its ability to execute bash commands on an infected device in this case.

This attack combined with others identified recently show that attackers are not ignoring this target rich environment. It also illustrates just how far we need to go to ensure that these simple devices get the same security considerations that general endpoints receive. In working in the cybersecurity space and talking about vulnerability scanning and remediation the conversation is almost always about endpoints. Laptops, Servers, Desktops etc. Network devices, Wireless Access Points, IoT, are very often overlooked and left vulnerable to outside attack. This gap in security focus is alarming when you consider how often a company might have a smart TV, connected refrigerator, Thermostat, or camera systems in their environment. These insecure devices are all talking out to cloud services and far too often sitting on the same network as everything else. It is a failure waiting to happen and not many people are paying any attention to it. The again, with all the talk about AI/LLM… maybe people are too focused on the next shiny thing to consider anything else.

Read 1295 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.