Amnesia: IoT Botnet or Sentient Linux Malware
Marina Kidron April 12, 2017
Amnesia is an IoT botnet targeting digital video recorders (DVRs) recently discovered by the Palo Alto Networks research team, Unit 42. The malware exploits a vulnerability disclosed more than a year ago involving remote code execution in DVRs’ Linux-based firmware developed by TVT Digital and branded by more than 70 vendors.
At the time of this post, no patch is available, and no CVE has been assigned to this vulnerability (Skybox addresses it as SBV-70707).
Amnesia can turn the 200,000+ vulnerable devices worldwide into botnet, as identified by Palo Alto Networks. The malware communicates to the C2C servers via IRC protocol, downloads payload via HTTP requests and uses TCP and UDP flooding techniques – in an enterprise environment, this should be restricted. Successful exploitation could give away full control of the device.
This Linux-based malware is the first of its kind and considered advanced due to its virtual machine (VM) evasion techniques. The malware detects if it’s running in a VirtualBox, VMware or QEMU VM – common environments used for sandboxes or honeypots – then wipes the virtualization system by deleting the file system itself.
By the same techniques, this malware can cause a substantial damage to QEMU-based Linux servers on virtual private server (VPS) hosting, or even public clouds. If the payload gets to a VM environment, it can wipe the VM system itself.
With the initial exploitation, there is no direct impact on organizations: if there is a vulnerable DVR in your network, and the payload is manually copied to the VM environment, the VM may suffer. Reputations may take the worst hit, as your network could be participating in a DDOS attack. However, the next malware can easily exploit one of the 170 vulnerabilities in Linux Kernel with publically available exploits, and use the vulnerable DVR as an entry point to spread itself to the Linux VM. This makes it relevant to the enterprise environment and not just the IoT world.
As the original vulnerability disclosure points out, the vulnerability ironically could compromise the DVRs that serve as the central component to CCTV security cameras. The use of cameras in a mass-scale botnet brings back not-too-distant memories of Mirai. In October of 2016, Mirai-infected devices were used to launch the largest DDoS attack to date against Dyn, affecting companies using their DNS service including Amazon, Twitter, Spotify, Netflix and many more. Similar also to BrickerBot, the attack demonstrated how IoT security – or lack thereof – can wreak havoc in unexpected ways.
- Threat actors don’t wait around for CVEs to be assigned. Neither should your organization. Threat management processes that use CVE-only vulnerabilities are not enough to protect against real-world threats. Based on Skybox Vulnerability Database, between five and 10 percent of all published vulnerabilities have no CVE because of time-process issues, or simply because no one asked for one.
- Use threat intelligence to prioritize vulnerability remediation. Even though on its surface Amnesia is targeting DVRs, the threat it poses to Linux virtual servers should be a concern for enterprises. Organizations need visibility and contextual understanding of how attacks could play out in their network even from the most obscure sources. Vulnerability management should prioritize vulnerabilities with active exploits – as well as exposed vulnerabilities – for immediate remediation (here’s what Garnter has to say on the matter).
- What can I do now? While there’s no available patch, there are a few options to effectively mitigate Amnesia’s vulnerability-of-choice. Properly configured network devices or IPS signatures should be able to isolate the vulnerability from attack. The IRC protocol should also be disabled. Virtualization servers should be properly backed up to limit the damage of this malware if an attack is successful.
See how Skybox™ Network Assurance finds device configurations errors using detailed network modeling even across physical, virtual, cloud and OT environments.
Quickly spot exposed vulnerabilities with attack surface visualization from Skybox™ Horizon. The interactive model combines vulnerability data, network topology and security controls to show you in a simple picture where you’re vulnerable to attack.
Plan vulnerability remediation in the context of your network with Skybox™ Vulnerability Control which not only alerts you to available patches, but provides alternatives such as rule changes or IPS signatures which may even be more efficient.