The new variant of Demonbot malware is targeting IoT devices from the self-proclaimed attackers dubbed Priority. Read on to know more…
Researchers spotted a new variant of Demonbot targeting IoT devices from the self-proclaimed attackers dubbed Priority. This new variant has been found targeting Defeway surveillance cameras. Researchers noted that this new malicious kid on the block is hitting port 60001 using the Demonbot variant of Mirai together with a second variant developed by Scarface. Port 60001 is a common port used by IoT devices, most notably the Defeway cameras, which make up over 90% of all cameras using this port. These cameras are being installed within networks with no password protection.
The New Variant
The new Demonbot variant is reported to be based on Mirai’s code and uses a Hadoop YARN exploit. The latest variant Priority has been observed attacking ports 5500, 5501, 5502, 5050, and 60001 with a simple command that leverages the MVPower DVR Shell Unauthenticated Command Execution, reported by Unit 42 as part of the Omni Botnet variant of Mirai.
The attackers are using a single exploit and mostly focusing on port 60001. Experts suspect that other ports are just a diversion; the reason could be that the attackers have a specific goal in mind. In addition to this, the attacker moved from 128[.]199[.]15[.]87 to 64[.]227[.]97[.]145 IP address from where all the attacks originated. The IP addresses are owned by the VPS provider DigitalOcean.
Researchers believe the attacker is either an unsophisticated amateur or someone who wishes to hide their true identity by appearing to be more criminally inexperienced than they actually are. “What is interesting about this attacker is Juniper Threat Labs has not witnessed them using any additional exploits, perhaps showing again the attacker’s immaturity in the attack methodology,” noted researchers.
“In contrast, we see the majority of attackers using Mirai variants running three to seven different vulnerabilities against multiple protocols or devices.” Priority has bucked this trend by limiting their attack to a single exploit and making it clear that their sights are locked on port 60001.
“The other ports appear more like a diversion, leading us to believe that the attacker has a specific objective in mind,” noted researchers. All the attacks were found to have originated from an IP address owned by Virtual Private Server (VPS) provider Digital Ocean and linked to their Santa Clara data center.
In recent times, IoT devices have been facing threats from several similar malware. A few days ago, a new botnet dubbed Ttint was found exploiting two zero-day vulnerabilities (including CVE-2020-10987) in Tenda routers. Last month, the Mozi botnet was found actively targeting a large number of IoT devices, including Netgear router, Huawei Router, GPON Routers, D-Link Devices, and other devices from several brands.
IoT devices are still considered as relatively insecure links in the overall technology landscape and require a different set of precautions. Experts advise users to regularly patch all the IoT devices and change the default password with a strong one. Additionally, regularly mapping all the devices on the corporate network and scanning the network for any malicious activities can help protect against such threats.