WootCloud specialists discovered the Ares IoT botnet, which mainly infects Android consoles manufactured by HiSilicon, Cubetek and QezyMedia.
Malware does not exploit any vulnerabilities, but it infects devices accessible through the Android Debug Bridge (ADB) debug ports.Although ADB is disabled by default on most devices, but some gadgets still come with ADB turned on (often on port 5555). As a result, unauthenticated attackers gain the ability to remotely connect to a vulnerable device and gain access to the ADB command shell, which is usually used to install and debug applications.
“When attackers discover TCP port 5555 on the device, they verify and validate the security posture of the service which includes, the authentication and authorization controls structured around it. Once the Ares bot is installed on the android-based devices, it launch scanners to: fingerprint and detect more android devices via ADB interface Install attacker-specific payloads on the compromised devices to trigger additional set of attacks such as crypt-mining, etc.”, — report WootCloud specialists.
Ares is far from the first botnet using this tactic, and far from the first botnet built on the basis of the famous IoT malware Mirai. However, now Ares is considered one of the most active Mirai botnets.
Although Ares is definitely trying to infect any devices available through ADB, according to WootCloud, the botnet now consists mainly of the aforementioned Android consoles (but, according to researchers, this can change at any time). So far, compromised devices are used only to search for and infect new hosts, and the ultimate goal of the malware operators is unknown.
Read also: Microsoft has fixed two new vulnerabilities that are similar to BlueKeep
Experts write that the threat built on the basis of Mirai is able to proxy traffic and can also be used to conduct DDoS attacks. However, vulnerable Android devices in corporate environments can be an excellent springboard for hackers and can be used by attackers as entry points into corporate networks.
Countermeasures by WootCloud:
- Always configure network policies with the VLAN segmentation to restrict the ingress and egress network traffic to the IoT devices.
- Restrict the ADB interface on the IOT devices to authorized IP address space Monitor the ADB interface traffic originating from unknown resources including the network traffic originating from these devices.
- Always configure passwords for the interfaces such as Telnet, Web, SNMP, etc. on the IoT devices.
- Always update the password from default string to a more complex string.