A new Internet of Things (IoT) botnet has recently been uncovered that threatens to add 120,000 Internet Protocol (IP) cameras vulnerable to attack. The Persirai botnet, as it is known, was discovered by researchers at Trend Micro, according to a Tuesday report at Dark Reading.
A similar botnet, Mirai, was used to drive a massive distributed denial of service (DDoS) attack last October directed at the Dyn DNS servers. The attack is believed to have been caused by about 100,000 endpoints in a single IoT botnet that generated an attack rate of 1.2 terabits per second against the DYN servers.
Trend Micro’s researchers noted more than 120,000 IP cameras exposed on the public internet that are easy targets for IoT malware such as Persirai. One difference between Mirai and Persirai is that the former launched a brute-force login attempt to steal credentials while the newer botnet uses a zero-day vulnerability that can obtain a user’s password file and give the botnet access to the camera.
According to Dark Reading:
Researchers found affected IP cameras report to C&C [command and control] servers using the .IR country code, which is managed by an Iranian research institute. They also discovered special Persian characters used by the malware author. However, this does not indicate the attacker is Iranian.
Analyst Jon Clay of Trend Micro said:
Attackers behind this are likely to continue and pursue other vulnerabilities, and look for other IoT devices that have similar vulnerabilities associated with them. … [These] devices are going to be used to potentially perform DDoS attacks against other organizations or other people. [Victims are] unwittingly being used as a pawn in a criminal’s efforts.
Part of the problem is that IP camera users don’t always know that their cameras are exposed online and they fail to change the default password.