About 6 months ago, I wrote an article on the massive cyberattack of 21/10/2016 and the involvement of printers in this cyberattack, via hijacked ‘internet connected devices’. I elaborated on the risk of internet connected devices in another article, on security and the Internet of Things (IoT). Today I have to give you a very serious warning: the latest malware, called ‘brickerbot’, will completely disable internet connected devices. This malware might be spreading like hell over the next weeks and months. You should take it seriously. Before your production devices are taken down. Tens of thousands of internet connected printers, workflow systems, print and color servers are visible on the internet and might be vulnerable for this kind of attack.
The new malware was discovered earlier this month, by Radware. And it seems to do serious harm, resulting in a ‘PDoS’, a ‘permanent denial of service’. It will screw up your IoT device, turning it into a dumb brick.
What you should do
First check which devices in your company are internet connected. These can be ‘Internet of Things’ (IoT) devices, but also machines with ‘remote diagnostics’ by the vendor. Or when vendors do data collection for statistics and benchmarking.
Second: for those devices, check the security settings. Especially: the username and password. If these are still the default values, you might be in trouble. You need to change them. If it concerns a machine with remote diagnostics or benchmarking: contact the vendor. If he doesn’t know what you are talking about, show him this article and the article from Radware.
Radware, who discovered the malware, gives following advice for protecting IoT devices and securing the network. Check this with the vendor of your internet connected devices!
- Change the device’s factory default credentials.
- Disable Telnet access to the device.
- Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
- User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
- An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.
Printers, prepress servers exposed
If you want to check whether your devices are visible from the internet, there is a specialized search engine for that: https://www.shodan.io/
When searching for ‘prepress’ in this search engine, I found 91 hits. Which means these 91 prepress servers might be vulnerable for an attack, for ‘bricking’. A specific (high end) print server got 60 hits. But when looking for a specific vendor of printers and digital presses, whose devices were probably involved in the 21/10/2016 cyberattack, I got 8.711 hits… Based on the list with ‘top products’ in the search results, most of them are network connected printers.
When searching for another brand, I found 2.950 ‘printer web interface’ devices and 1.496 ‘printer http config’ devices in the top products.
But the record of my brief search goes to yet another brand of printers and digital presses: 12.747 hits.
Why this is important
Internet villains are becoming very nasty. And more and more they are specifically targeting businesses. One of the nastiest tricks in their books, next to ransomware, is this new malware attack that will ruin internet connected devices. It could ruin your production capacity.
UPDATE 22/04/2017: here is an interesting article! The maker of Brickerbot claims to have ‘bricked’ over 2 million devices this far. But, even more interesting, is why he started this project: he created BrickerBot with 84 routines that try to secure devices so they can’t be taken over by Mirai and other malware. Here is a quote from the article: “As a preference ‘BrickerBot will try to secure units without damaging them and the bricking behavior is a ‘plan B’ (yes the B stands for brick 🙂 for units which are unlikely to be securable.” Interesting…