IoT Devices Are Facing a Global Infection Storm

Image credit: iStockphoto/Elen11

The feared InterPlanetary Storm malware has a new variant.

According to the monthly “Threat Spotlight: New InterPlanetary Storm variant targeting IoT devices,” a report by Barracuda, the malware now infects 13,500 Mac, Android, Windows, and Linux machines in 84 countries.

On Oct 13, 2020, 27%% of infected machines were located in Hong Kong, 17% in South Korea, 15% in Taiwan, 8% in Russia and Ukraine, 6% in Brazil, 5% in the U.S. and Canada, 3% in China, 3% in Sweden, and 1% or less in other countries.  

Hong Kong having the highest number of infected machines is nothing new. Botnet (bots) events have always been a significant cyber threat in Hong Kong.

According to the Hong Kong Security Watch Report issued by Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), there were 5,952 botnet (bots) events reported in the Q2 of 2020 in Hong Kong.   

The new variant of InterPlanetary Storm malware is different. First, it is fast and gains access to machines by running a dictionary attack against SSH servers, similar to FritzFrog, another peer-to-peer (p2p) malware. It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices. 

The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation. This allows infected nodes to communicate directly or through other nodes (i.e., relays).  

The first variant of Interplanetary Storm, which targeted Windows machines, was uncovered in May 2019, and a variant capable of attacking Linux machines was reported in June of this year.

This new variant, which Barracuda researchers first detected in late August, is targeting IoT devices, such as TVs that run on Android operating systems and Linux-based machines, such as routers with ill-configured SSH service. 

HKCERT also warned in 2019 that, among all IoT devices, the webcam is one of the most popular IoT devices used in Hong Kong, but they may not be installed securely in the households. 

While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices for crypto mining, DDoS, or other large-scale attacks. 

The new variant of InterPlanetary Storm is written in Go, uses the Go implementation of libp2p, and is packed with UPX. It spreads using SSH brute force and open ADB ports, and it serves malware files to other nodes in the network. The malware also enables a reverse shell and can run a bash shell.  

It also has several unique features, such as: 

  • Detecting honeypots. The malware looks for the string “svr04” in the default shell prompt (PS1), which the Cowrie honeypot used before. 
  • Auto-updates. The malware compares the version of the running instance with the latest available version and will update accordingly.  
  • Persists by installing a service (system/systemv) using a Go daemon package
  • Kills other machine processes that pose a threat to the malware, such as debuggers and competing malware. It does so by looking for key strings in process command lines. 

Barracuda advises the following:

  • Properly configure SSH access on all devices. Use keys instead of passwords, which will make access more secure. When password login is enabled, and the service itself is accessible, the malware can exploit the ill-configured attack surface. This is common with routers and IoT devices, so they make easy targets for this malware.   
  • Use a cloud security posture management tool to monitor SSH access control to eliminate any configuration mistakes, which can be catastrophic. To provide secured access to shells if needed; instead of exposing the resource on the internet, deploy an MFA-enabled VPN connection and segment your networks for the specific needs instead of granting access to broad IP networks. 

Image credit: iStockphoto/Elen11