Spawn of Demonbot Attacks IoT Devices
October 4, 2020 Share

Spawn of Demonbot Attacks IoT Devices

Threat researchers have spotted a new kind of cyber-attack that uses a variant of Mirai malware to target a port used by IoT devices.

The attack, orchestrated by someone using the alias “Priority,” was detected by a team at Juniper Threat Labs. Priority appears to have been up to no good since September 10.

Researchers noted that this new malicious kid on the block is hitting port 60001 using the Demonbot variant of Mirai together with a second variant developed by Scarface.

Port 60001 is a common port used by IoT devices, most notably the Defeway cameras, which make up over 90% of all cameras using this port. These cameras are being installed within networks with no password protection.

“While the users feel they are simply giving themselves access to view their camera from anywhere, it is actually giving attackers the ability to install botnets, such as Mirai, on the device,” said Juniper’s Jesse Lands.

Priority has been observed attacking ports 5500, 5501, 5502, 5050, and 60001 with a simple command that leverages the MVPower DVR Shell Unauthenticated Command Execution, reported by Unit 42 as part of the Omni Botnet variant of Mirai.

Researchers believe the attacker is either an unsophisticated amateur or someone who wishes to hide their true identity by appearing to be more criminally inexperienced than they actually are.

“What is interesting about this attacker is Juniper Threat Labs has not witnessed them using any additional exploits, perhaps showing again the attacker’s immaturity in the attack methodology,” noted researchers.

“In contrast, we see the majority of attackers using Mirai variants running three to seven different vulnerabilities against multiple protocols or devices.”

Priority has bucked this trend by limiting their attack to a single exploit and making it clear that their sights are locked on port 60001.

“The other ports appear more like a diversion, leading us to believe that the attacker has a specific objective in mind,” noted researchers.

All the attacks were found to have originated from an IP address owned by Virtual Private Server (VPS) provider Digital Ocean and linked to their Santa Clara data center.

This post Spawn of Demonbot Attacks IoT Devices originally appeared on InfoSecurity Magazine.

Read More