Tuesday, 25 June 2019

An 14-year-old's Internet-of-Things worm is bricking shitty devices by the thousands

A hacker calling themself Light Leafon who claims to be a 14-year-old is responsible for a new IoT worm called Silex that targets any Unix-like system by attempting a login with default credentials; upon gaining access, the malware enumerates all mounted disks and writes to them from /dev/random until they are filled, then it deletes the devices' firewall rules and removes its network config and triggers a restart -- this effectively bricks the device, rendering it useless until someone performs the complex dance needed to download and reinstall the device's firmware.

The worm has taken down at least 2,000 devices since it appeared earlier today, and is indiscriminate enough that it could take down GNU/Linux servers that were badly configured. At least some of the worm's instances have been served from novinvps.com, which is based in Iran. Ankit Anubhav from NewSky Security told Zdnet that he made contact with the worm's author, "Light Leafon," who claimed to be 14 years old. Anubhav had already contacted Leafon earlier, when Leafon released a precursor to Silex called HITO that attacked IoT devices last month. Anubhav calls Leafon "one of the most prominent and talented IoT threat actors at the moment."

Last year, an IoT worm called Brickerbot swept the internet, and its author claims that it disabled 10,000,000 IoT devices in the process.

The teenager said he plans to develop the malware further and add even more destructive functions.

"It will be reworked to have the original BrickerBot functionality," Light told Anubhav and ZDNet.

Plans include adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use vulnerabilities to break into devices, similar to how most IoT botnets operate today.

"My friend Skiddy and I are going to rework the whole bot," Light told us. "It is going to target every single publicly known exploit that Mirai or Qbot load."

New Silex malware is bricking IoT devices, has scary plans [Catalin Cimpanu/Zdnet]

(via Bruce Sterling)