Spawn of Demonbot Attacks IoT Devices


Threat researchers have spotted a new kind of cyber-attack that uses a variant of Mirai malware to target a port used by IoT devices.

The attack, orchestrated by someone using the alias “Priority,” was detected by a team at Juniper Threat Labs. Priority appears to have been up to no good since September 10.

Researchers noted that this new malicious kid on the block is hitting port 60001 using the Demonbot variant of Mirai together with a second variant developed by Scarface.

Port 60001 is a common port used by IoT devices, most notably the Defeway cameras, which make up over 90% of all cameras using this port. These cameras are being installed within networks with no password protection.

“While the users feel they are simply giving themselves access to view their camera from anywhere, it is actually giving attackers the ability to install botnets, such as Mirai, on the device,” said Juniper’s Jesse Lands.

Priority has been observed attacking ports 5500, 5501, 5502, 5050, and 60001 with a simple command that leverages the MVPower DVR Shell Unauthenticated Command Execution, reported by Unit 42 as part of the Omni Botnet variant of Mirai.

Researchers believe the attacker is either an unsophisticated amateur or someone who wishes to hide their true identity by appearing to be more criminally inexperienced than they actually are.

“What is interesting about this attacker is Juniper Threat Labs has not witnessed them using any additional exploits, perhaps showing again the attacker’s immaturity in the attack methodology,” noted researchers.

“In contrast, we see the majority of attackers using Mirai variants running three to seven different vulnerabilities against multiple protocols or devices.”

Priority has bucked this trend by limiting their attack to a single exploit and making it clear that their sights are locked on port 60001.

“The other ports appear more like a diversion, leading us to believe that the attacker has a specific objective in mind,” noted researchers.

All the attacks were found to have originated from an IP address owned by Virtual Private Server (VPS) provider Digital Ocean and linked to their Santa Clara data center.



Source link

Recent articles

Deconstructing an Ansible playbook | Enable Sysadmin

This article describes the different parts of an Ansible playbook starting with a very broad overview of what Ansible is and how you...

Watergate Led to Reforms. Now, Would-Be Reformers Believe, So Will Trump.

Among their ideas:Revise the authorization of force passed after Sept. 11, 2001, to prohibit humanitarian military intervention without additional votes by Congress and...

PlayStation Camera Adaptor Packaged in New PSVR Bundles in Japan

PlayStation VR works with PlayStation 5, Sony confirmed previously. However, PS4’s Camera requires an adaptor for playing PSVR titles on PS5, and the new PS5...

‘I Came From Nothing’: An Undocumented Writer Defies the Odds

I came from nothing. I created all of this world myself, just like my parents as immigrants created a world themselves. These kids...

At the end of the month, my son asks me to pay his rent and says, ‘You don’t want us to be evicted do...

My adult son lost his job when he became disabled. He is married with one child. His wife — who has degrees in...

Leave a reply

Please enter your comment!
Please enter your name here