Over a billion ARC processors may have been affected by Okiru botnet, a new variant of Mirai which is used frequently by hackers to enslave IoT devices and steal sensitive user data.
ARC processors impacted by the new Okiru botnet are extensively used in cars, mobiles, TVs, cameras, and many other connected IoT devices numbering over a billion in total.
We recently covered how the infamous Mirai botnet, as well as its several variants, have been used frequently by hackers to compromise entire IoT networks, enslave IoT devices and to steal sensitive user data. The new Okiru botnet is another variant of Mirai and has potentially affected over a billion ARC processors that are used in IoT devices across the world.
The revelation about the new botnet’s capabilities was made on Twitter by security researcher Odisseus who said that this is the first time in history that a Mirai variant has been able to compromise ARC CPUs.
‘From this day, the landscape of #Linux #IoT infection will change. #ARC CPU has produced #IoT devices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be.
‘This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet,’ the researcher warned.
Last month, security researcher Li Fengpei revealed the arrival of a new Mirai variant named Satori which, he said, infected more than 280,000 different IPs which were scanning ports 37215 and 52869 within a space of twelve hours. Unlike other Mirai variants, the Satori botnet features two embedded exploits that connect to ports 37215 and 52869 to infect more devices.
However, according to researchers at Italy’s CERT (Computer Emergency Response Team), the new Okiru botnet, unlike Satori, ‘is encrypted in two parts and the attack via Telnet is much more incisive as it uses a list of over 100 credentials’
‘This new malware discovery should help security analysts understand just how quickly IoT devices can “turn” and become useful to an adversary – either as a member of a botnet or a jumpbox into a network. Remember that devices similar to these were at the heart of the Dyn denial of service attack, the largest of its kind in history,’ noted Barry Shteiman, Director of Threat Research at Exabeam.
‘The best way to illuminate this attack risk is to monitor the behaviour of IoT devices in much the same way as actual human users. If you can’t directly protect and manage the devices on your network, you must understand what normal behaviour for the devices looks like; then it’s possible to get an early indication of when a device has been highjacked by hackers and is likely being used for malicious means,’ he adds.
Even though sophisticated botnet variants are able to compromise millions of IoT devices in single attacks, a large number of IoT devices are also rendered vulnerable by their manufacturers themselves who don’t think much about cyber security while designing them.
Earlier this month, a team of researchers at Trend Micro discovered critical security flaws in popular connected speakers like Sonos Play:1 and Bose SoundTouch speakers. An open port in these two devices not only allowed the researchers to remotely access them but also allowed them to find out their locations as well as e-mail addresses of their owners that were linked to music streaming services synced with the devices. They added that the vulnerability was present in as many as 4,000 to 5,000 Sonos speakers.