BASHLITE Malware Hits Over One Million IoT Devices

There is an ongoing battle against malware worldwide, and it is taking on new shapes and shifting to new fronts. One of the relatively new battles is combating malware that affects internet-of-things (IoT) devices. The broad definition of IoT would be any device or even vehicle that has electronics and software in it, as well as an active connection to the internet.

It seems hackers and bad actors are focusing more and more on IoT devices, as recent research by Level 3 Threat Research Labs – an infosec company based in Colorado – points out. As per their report, a family of malware, which shares the names BASHLITE, Lizkebab, Garfyt and Torlus, has infected over a million devices through coordinated botnet attacks.

Mr. Dale Drew, CSO with Level 3, says that his company originally set out to research a number of what he calls 'average' botnets, with the intention of digging out as much interesting information about them as possible. The study showed that the BASHLITE malware had connections to several botnets that turned out to be much better organized than researchers imagined.

The research revealed that a number of command-and-control (C&C) servers were related to the BASHLITE family of malware and were linked using just 72 bots – a modest number, considering the scope of many botnets. Further research showed that the malware family was actually connected to as many as 120,000 bot machines. Ultimately, Level 3 discovered that the BASHLITE malware family was really connected to about 100 C&C servers and some of those were executing a hundred short-term distributed denial-of-service (DDoS) attacks each day. The false initial feel for the scope of the botnets was due to their highly compartmentalized nature, which gives uncertain signals regarding their real size.

Level 3 mentions that hacker collectives are focusing on IoT devices as they are relatively easy targets, and then are using them to run DDoS attacks that the bad actors sell as a service to their customers. According to the research, the hackers don't care about the specifics of the device they have breached, they simply get their DDoS payload on it as quickly as possible, then run various versions of it compiled for different hardware architectures and keep doing that until one clicks and executed properly on the compromised device.

The vast majority of targeted IoT devices were cameras and video recorders. Level 3 also points out that this is a dramatic shift from the older structure of most botnets, where compromised actors used in the attacks were primarily servers and home routers. According to the report, the largest portion of hacked cameras and recorders were located in Taiwan, Colombia and Brazil. The better part of those devices used default admin credentials and was based on some sort of Linux build. Streaming video capabilities imply a lot of available bandwidth and this just makes those devices even more powerful tools in the hands of DDoS hackers.

The majority of infected devices were made by a handful of manufacturers, who used 'sloppy' security measures and standards. Dahua Technology was among those few manufacturers, which is somewhat disturbing, given it's the surveillance solution company that has the world's second largest market share, but Level 3's CTO said the company is taking steps to patch those vulnerabilities.

The BASHLITE attack was not the first effort to hit cameras and use them for executing DDoS attacks. In 2016 alone, there were two smaller instances of botnets using CCTV devices and webcams.