It’s not very often that infosec pros get a warning of an threat on the horizon, but a news report this week suggests more attention be paid to an Internet of Things-based botnet discovered last fall which hasn’t yet been activated to do harm but whose creators could be looking for a target.
Dubbed Hajime (the word for beginning, in Japanese) by Rapidity Networks, which first reported on it last October, it is estimated to have infected 100,000 poorly secured IoT devices including digital video cameras, DVRs and routers. However, its code specifically searches for devices powered by ARM processors.
Who created it and what it will be used for — if anything — is a question. But researchers warn it has the power of the Mirai botnet which last year pushed a record 620 Gbps distributed denial-of-service (“DDoS”) attack against cyber reporter Brian Krebs.
According to Rapidity Networks, Hajime is a worm which spreads by scanning the public Internet for devices running Telnet servers with insecure default credentials. “What makes Hajime unique,” the company says, “is that it does not rely on centralized malware distribution server(s), but instead communicates over a distributed/decentralized overlay network to receive configuration and software updates.”
It compromises devices by trying several username and password combinations from its hardcoded list of credentials. If it gains entry infects the devices with a small, short-lived file-transfer program which connects back to the attacking node and copies down a much larger download program. The download program–the second stage–joins a peer-to-peer decentralized network and retrieves its configuration and a scanning program. The scanning program searches the public internet for more vulnerable systems to infect.
“Hajime is much, much more advanced than Mirai,” an expert is quoted by CSO Online. “It has a more effective way to do command and control.”
What — if anything — will this botnet be used for? Possibilities include launching extortion distributed denial of service (DDoS) attacks, be used for financial fraud, gather information as a research project. Rapidity Networks suspects the authors want it to be confused with the Mirai botnet. It also assumes the botnet will be weaponized.
What network admins can do, Rapidity Networks says, is scanning their infrastructure for unknown services, especially Telnet, to ensure that their networks are secure against attacks of this nature. To stop Hajime specifically Block UDP packets containing P2P traffic, block TCP connections containing attack traffic (the string “/bin/busybox ECCHI”), and consider blocking TCP port 4636, which the worm uses for communications.
Also this week IBM blogger Scott Koegler offers this advice to network admins to ensure devices on their networks aren’t turned into IoT slaves:
- Identify which devices have communication capabilities. If a device connects to your network and sends alerts, communicates with its manufacturer for warranty updates or provides any other indication that it is using its network connection to reach outside the enterprise, add it to your list of enabled systems.
- Connect devices to your network only if there is a demonstrable benefit. If a device can function properly without a network connection or if its connection only provides marginal utility, disconnect it and test its functionality. Before reconnecting, ask the manufacturer how the product is intended to communicate and what measures have been taken to secure it.
- Create a separate network specifically for smart device connections.
- Disable Universal Plug and Play (UPnP). Do not allow automatic discovery and connection for networked devices. Make certain that any devices that request network access are reviewed for security and connected to the proper network segment.
- Update firmware where possible. Contact manufacturers for updates to their firmware and ask about procedures they have taken to add security measures to the systems you use.
