According to a blog post from IT security company Palo Alto Networks, a new variant of the IoT/Linux botnet Tsunami, which it calls Amnesia, targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in DVR devices manufactured by TVT Digital and branded by over 70 vendors worldwide.
This vulnerability affects approximately 227,000 devices around the world with Taiwan, the US, Israel, Turkey, and India being the most exposed. IT security experts from Cylance and Positive Technologies comment below.
Jim Walter, Senior Researcher at Cylance:
“While the entry vector differs in this attack (HTTP vs. Telnet ) the running theme remains the same. We (users) all tend to be far more trusting in the default configurations (or state) of our connected devices. We must not fall into the malaise of assuming that any “new” device we purchase and connect is also up-to-date and ‘secure’ simply as a side effect of its’ ‘newness’. The diligence and hygiene that we apply to our traditional computing devices (PCs, laptops, phones, etc.), must also be transposed to the connected devices that we take for granted. Whether it be a PC, TV, Gaming System, appliance, DVR or otherwise, the exposure and attack surfaces are in many ways identical and must be treated as such.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“As we predicted last year, new versions of Mirai-like malware use more serious (perhaps 0-days) vulnerabilities in IoT gadgets that cannot be easily cured by users themselves. In case of Mirai botnets, users could just change a default password and save all those devices from the infection.
“But new malware like Amnesia / Tsunami requires more security measures. First, you have to update the firmware to the safer version. Unfortunately, in many cases the manufacturers cannot provide security updates in time. Another problem is, common users just don’t know how to update different IoT devices like DVRs or wi-fi routers: these devices don’t have a simple interface like a common notebook does.
“So the best security advice here would be to limit the access to the IoT device (and from it) to certain IP addresses only (admins). Or you can place your DVRs in an isolated / firewalled network.”