A new variant of the InterPlanetary Storm malware is targeting IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with ill-configured SSH service, according to Barracuda Networks researchers.
The new variant gains access to machines by running a dictionary attack against SSH servers, similar to FritzFrog, another peer-to-peer (p2p) malware. It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and can run on ARM-based machines – CPUs based on reduced instruction set computer architecture (RISC), which are quite common in routers and other IoT devices.
In their latest Threat Spotlight report, Barracuda Networks researchers found that the malware is building a botnet, which its researchers estimate currently includes roughly 13,500 infected machines located in 84 different countries around the world.
Majority of the machines infected by the new variant are located in Asia: 59% in Hong Kong, South Korea and Taiwan; 3% in China; 8% in Russia and Ukraine; 6% in Brazil; 5% in Canada and the US; and 3% in Sweden.
“While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks, said James Forbes-May, Vice President of APAC for Barracuda.
Cloud-enabled security solutions provider Barracuda discovered the new variant in late August. The InterPlanetary Storm malware, which targeted Windows machines, was first uncovered in May 2019, and a variant capable of attacking Linux machines was reported in June of this year.
“These cases continue to rise, so it’s important to remain vigilant,” said Forbes-May.
Barracuda researchers found several unique features designed to help the malware protect itself once it has infected a machine. These include automatically updating itself to the latest available version; installing a service using a Go daemon package, and killing other processes on the machine that pose a threat to the malware, such as debuggers and competing malware.
“In order to protect against such attacks, it’s incredibly important to properly configure SSH access on all devices, said Forbes-May. “This means using keys instead of passwords, which will make access more secure. When password login is enabled and the service itself is accessible, the malware can exploit the ill-configured attack surface. This is an issue common with routers and IoT devices, so they make easy targets for this malware, he added.
He added: “Using a cloud security posture management tool to monitor SSH access control to eliminate any configuration mistakes, which can be catastrophic, is crucial, while deploying an MFA-enabled VPN connection and segmenting your networks, rather than granting access to broad IP networks, can provide an additional layer of security against this kind of attack.”