120,000 IoT cameras vulnerable to new Persirai botnet say researchers

Internet connected cameras across the globe are easy to find and hijack to carry out DDoS attacks.
Written by Danny Palmer, Senior Writer

A new Internet of Things (IoT) botnet is targeted over 1,000 different models vulnerable of IP cameras and using the hijacked devices to carry out DDoS attacks.

Over 122,000 cameras from a variety of manufacturers are vulnerable to becoming part of the Persirai botnet - and the vast majority of owners don't even know their devices are exposed on the internet and thus easily targeted by malware.

Discovered by cybersecurity researchers at Trend Micro 122,069 of the affected IP cameras across the globe can easily be discovered via the Shodan IoT search engine- with vulnerable products visible in China and Japan, through Europe and all the way across to the Americas.


Distribution of devices vulnerable to Persirai

Image: Trend Micro

Like many internet connected devices, these cameras are built to be easily set up by the user - a design feature which often results in cybersecurity being an afterthought. As a result of this, the IP cameras can open a port on the router and act like a server, making them highly visible to IoT malware.

Taking advantage of this, the attackers are able to access the IP camera by the open port then simply perform a command injection to force the camera to connect to a download site which will execute a malicious script shell and install malware onto the camera, roping it into the botnet.

Once downloaded and executed, the malware will delete itself and will only run in memory in an effort to avoid detection. Persirai's developers also take the step of blocking the exploit they use in order to prevent other attackers from targeting the camera and keep the infected device to themselves.

The cameras can be instructed to carry out DDoS attacks against target networks - an attack which while unsophisticated has the potential to do massive damage - as demonstrated by the Mirai botnet attacks last year, which resulted in bringing large swathes of the internet and online services to a standstill.

While researchers have been unable to specifically identify those behind this IoT malware, the C&C servers have been traced to Iran and the author of the malware used some special Persian characters in the code.

Internet of Things device remain vulnerable to cyberattacks as many manufacturers rush out devices without proper security measures and ship them to consumers who are unlikely to know how to change the default credentials, leaving devices open to attack.

The bad news is the security worries around the IoT are only likely to get worse as more and more devices become connected, providing cybercriminals and hackers with billions more devices to breach.

These not only provide them with the opportunity to carry out DDoS attacks, a vulnerable IoT device could provide a gateway onto a network as a whole, allowing hackers to carry out other criminal tasks including espionage on target organisations.


Editorial standards