NCCIC/ICS-CERT received a technical bulletin from the Sierra Wireless company, outlining mitigations to secure Airlink Cellular Gateway devices affected by (or at risk of) the “Mirai” malware. While the Sierra Wireless devices are not being targeted by the malware, unchanged default factory credentials, which are publicly available, could allow the devices to be compromised. Additionally, a lower security posture could lead to the device being used in Distributed Denial of Service (DDoS) attacks against Internet web sites. IT security experts from Imperva and Tripwire commented below.
Tim Matthews, Vice President of Marketing at Imperva:
“Given that the manufacturer has issued a CERT alert, with detailed behavioral analysis of how Mirai behaves on their devices, this appears quite legitimate. It is reminiscent of an IoT botnet comprised of SOHO routers infected with the MrBlack malware (note, see:https://www.incapsula.com/blog/ddos-botnet-soho-router.html)
Generally, Mirai botnets are used to attack any number of targets, and not just those on the network where the malware is present. We saw an attack from Mirai on our own website, as well as the sites of the customers we protect (see:https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html).
One of the attacks was quite large, peaking at 280 Gbps and 130 Mpps, both indicating a very powerful botnet. In terms of these devices connecting to critical infrastructure, what we have seen is the use of Mirai as a DDoS weapon. But, potentially, if a sufficient quantity of these devices were infected and close to critical infrastructure, their proximity could increase the relative power of their attacks.”
Lamar Bailey, Senior Director of Security Research and Development at Tripwire:
“Botnets are having great success taking advantage of the IoT explosion we have seen over the last few years. The number of connected devices in the average home has skyrocketed to numbers previously seen in small offices. With this rush to get new devices to market we find the consumer devices are not as secure as people assume. Many of the devices lack some of the fundamental security controls like requiring default password changes or using unique passwords for each device. The average home user just sets up the device per the install instructions and trusts it is secure. Botnets can use these default credentials to harvest hundreds or thousands of bots to focus on a target in a DDoS attack. The attacks are more successful because they come from a larger area and this makes them harder to mitigate.”