New malware targets IoT routers

Security analysts are warning early Internet of Things (IoT) adopters to enhance the security of Universal Plug and Play (UPnP) routers and hubs in their connected homes due to recently detected malware attacks. The malware, known as Pinkslipbot, is a variation of a known malware scheme designed to attack firewalls, lock out system users and disrupt enterprise directories, analysts stated.

Don Duncan, Sales Engineer - Eastern at NuData Security, said the malware is a derivative of QakBot, a form of malicious code that has been actively infecting networks for more than 10 years.

"Pinkslipbot is extremely persistent, and essentially, anyone with fast Internet and open ports on an Internet gateway device using UPnP is vulnerable to it," he said. "Pinkslipbot detects available ports, infects machines behind the firewall, and relays information to C&C [Command and Control] servers. In the short term, it's important that 'local port-forwarding rules' be monitored, and UPnP should be turned off if the user doesn't need it."

Duncan urged network operators to implement behavioral biometrics to create additional barriers around UPnP routers and hubs. These solutions are generally less susceptible to impersonation, because they rely on online behavior versus credentials to authenticate users. Banks can use behavioral biometrics to upgrade user experiences for trusted customers, he added.

"These technologies are going to defeat Trojans and malware by making the credentials and payment card details obsolete," he said. "Fraudsters are in the business of making money, so the real answer is to the make the data useless."

Smart homes, connected devices targeted

Researchers see the heightened interest in smart homes and connected appliances as a strategic shift in the cybercrime community and have warned that these attacks may be indicative of new threats for homeowners, renters and remote employees who work from home.

Gabriel Gumbs, Vice President of Product Strategy at STEALTHbits Technologies Inc. said, "We recently saw WannaCry be rather troublesome for organizations, but not nearly as much for home users; QakBot/Pinkslipbot, on the other hand, is likely to be more of an issue for home users, and the reason has everything to do with the way these pieces of malware spread."

Gumbs suggested the primary difference between WannaCry and Pinkslipbot is in the targeted devices and methods of attack. For example, he noted that WannaCry attacks Server Message Block ports that are usually disabled on home routers but enabled in business environments to allow file sharing; QakBot/Pinkslipbot attacks UPnP ports commonly used in homes to enable seamless connectivity among IoT devices.

"Organizations still need be very diligent as this malware does three things that can disrupt every business," Gumbs said. "It locks out hundreds to thousands of Active Directory accounts in quick succession, attempts to log on to many accounts that do not exist, such as 'administrador,' and deploys malicious executables to network shares and registers them as a service, all in an attempt to create further havoc within Active Directory environments. Companies will want to actively monitor for these types of events, as they can easily go unnoticed until the damage is done."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.