Threat intelligence teams at Firedome have recently detected a new variant of InterPlanetary Storm. This malware variant had never been seen before and would have easily bypassed most other antivirus engines. The malware was detected on a device in Tokyo as it attempted a malicious DNS request and was neutralized by the Firedome agent.
The event is unfortunately consistent with a worldwide increase in botnet activity, for which Firedome has observed a distinct rise in attempted attacks across fleets protected by its agent. Product Managers of smart IoT devices need to be aware of the damage that can be wrought by this type of malware and what they can do to protect their device against it.
A storm of InterPlanetary proportions
InterPlanetary Storm has a trail of destruction that includes over 13,500 infected IoT devices around the globe, mostly in Asia. The malware, which continually updates itself with new variants and even new command and control infrastructure, targets devices that run on Android operating systems and Linux-based machines, such as routers with poorly configured SSH (secure shell) service. It’s often found manipulating the Android Debug Bridge (ADB), a protocol that is used by Android to debug, to infect the device and spread across to others.
The malware which has been used towards pulling off an ad revenue generation campaign, has a wide range of functionalities and capabilities. Primarily, it provides the attacker with a backdoor into the compromised device and from there carries out a variety of malicious objectives, be it DDoS, PUAs, crypto mining, or large scale attacks.
The malware has several unique features that aid its persistence in an infected machine. Firstly, it detects the device’s security mechanism, honeypots, and auto-updates itself to circumvent the device’s security posture. It then proceeds to kill other processes on the machine that pose a threat, such as debuggers or any competing malware.
The Firedome agent successfully terminated the InterPlanetary Storm variant and added the malware’s digital signature to protect their customer’s globally located fleets from any further attacks. However should your device not be protected, we address the range of possible outcomes that may result.
What this means for your device
Hacker can gain full access and control
The malware creates a connection between the compromised device and the hacker’s command and control server, enabling them full control over the device. The hacker can steal files, whether that be photos, video footage or audio recordings. The data theft can extend to the user’s credentials to any online accounts and credit card details if the device was used to make payments. If the malware gets persistence from the device into an enterprise network, then the malware can access work files, business IP and get access into organizational resources.
Consume high CPU
The hacker may use InterPlanetary Storm as a means of harvesting the device’s processing power to enable crypto-mining. Doing this will produce a surge in the device’s CPU consumption and damage its functionality causing the device to freeze or not work at all.
Gain persistence across the network
Using the infected device as its home base, the device can be used as a proxy to spread the malware through the network to infect other devices. This will place an added communication burden on both the device and the network.
Access to suspicious sites
The malware may use the compromised device to access suspicious sites or domains. It may leave its IP in the access log on these sites, and compromise the reputation of the user’s IP.
Device manager can get blocked out of their own device
The malware can block the ADB port from external access, this means that once the device is hijacked, the hacker can boot out the device manager and keep control only for themselves.
Delete Files and Kill Processes
On having gained control over the device the hacker can do as they please, whether that be deleting files or killing processes, all of which will have the effect of significantly impairing device functionality.
The Potential Business Damage to Your Brand
Having your IoT device caught up in this type of malware attack could be detrimental. If their device doesn’t perform as it should, the user is not going to associate blame with a hacker that they’ve never met, they’ll blame you, the people behind the brand label.
As discussed above InterPlanetary Storm malware could cause your smart device not to work properly or not at all. Not automatically associating malware behind the fault, the customer will be clogging up your customer service center to try and get the issue fixed, once this fails they’ll be looking to have it repaired or replaced within the terms of the warranty.
And that’s in the best situation, should the breach on your device hit the media headlines this will cause significant damage to your brand reputation, impair future sales and cause wide scale demand for product recalls.
Breach of privacy regulations
Information leaks from your device could potentially put you in breach of data privacy regulations. Depending on the jurisdiction and the scale of the data breach, the fine could be huge, and end with taking you to the cleaners.
Don’t let your device be swept up in this storm
So, what should you do to stop all this from happening? To begin with, I recommend testing your device to identify if it’s exposed to this attack. If you have a proactive security solution installed that works to detect and mitigate threats in real time, your fleet should be safe from attack, if you don’t, the odds are that it is vulnerable. So, we’ve provided this series of recommendations.
Your customers have a right to know and be informed about the security of their device, it would be smart to address the issue as part of a version release update where you can advise that a patch is in development and provide a time frame of when it will be ready.
Getting a proactive defensive barrier, like an EDR solution specifically for IoT, should be a matter of urgency. If your device is found to be infected you may need to do a factory reset, or even burn all the software again if the malware had the chance to register in the system/bin folder. Reinstalling with a new version may not prevent further re-infection, it may be necessary to create a new version without open ADB or SSH and then distribute to customers.
If the malware was able to penetrate there is a good likelihood that it would have bypassed signature-based AV software because the malware is a new variant, with a unique signature. You will need to run incident response and breach investigations to try to halt and minimize the scope of an attack. An EDR solution dedicated to IoT devices will likely catch the malware through behavioural heuristics such as attempts to connect with strange domains, suspicious IPs, and subprocesses.
For more technical information about InterPlanetary Storm, and how to protect against it, feel free to reach out to us for a consultation.