Fast forward to today, 2023 and the situation is not much better. We still hear about companies that are owned because of an improperly secured IoT device or other “smart” product. Sometimes it is because that product was brough in without authorization, but in many cases, it is still the lack of security around the device and a lack of understanding of just how insecure these devices are. It has gotten bad enough that an entire industry has been built around it. Companies like NetRise Inc have popped up to help stem the flood of compromises in this space.
Over the last few months, we have heard about more and more compromises of small Linux-based appliances. Everything from residential and SMB routers and edge devices to light bulbs and Smart TVs have been targeted by attackers. These devices are often not properly secured at multiple levels. In the case of a recent crypto mining malware, the attackers are running a brute force attack looking for misconfigured systems (like many IoT devices). Once they find the right system, they overwrite any existing OpenSSH installations with one they have adapted to their purposes as well as disabling shell history. This “patched” version of OpenSSH is also responsible for installing the shell script that sets up the backdoor. The backdoor allows the attacker to install additional payloads and perform other post-compromise activities.
Some of the post-compromise activities include grabbing rootkits from GitHub (Diamorphine and Reptile) along with clearing activity logs just in case there is a SIEM in play so the attack can remain undetected. Persistent SSH communication is established via two public keys in the authorized_keys configuration files for all users identified on the targeted device. Interestingly enough the malware also checks for any other mining operations and disables and removes them to ensure its own crypto mining has the most resources available. Researchers also identified an IRC bot, which has been modified, in use on infected devices. The IRC bot appears to be based on ZiggyStarTux and while normally a DDoS client, it might be used for its ability to execute bash commands on an infected device in this case.
This attack combined with others identified recently show that attackers are not ignoring this target rich environment. It also illustrates just how far we need to go to ensure that these simple devices get the same security considerations that general endpoints receive. In working in the cybersecurity space and talking about vulnerability scanning and remediation the conversation is almost always about endpoints. Laptops, Servers, Desktops etc. Network devices, Wireless Access Points, IoT, are very often overlooked and left vulnerable to outside attack. This gap in security focus is alarming when you consider how often a company might have a smart TV, connected refrigerator, Thermostat, or camera systems in their environment. These insecure devices are all talking out to cloud services and far too often sitting on the same network as everything else. It is a failure waiting to happen and not many people are paying any attention to it. The again, with all the talk about AI/LLM… maybe people are too focused on the next shiny thing to consider anything else.