Executive Summary

Microsoft has detected a significant increase in malware targeted at Linux systems to create botnets which can be used for distributed denial-of-service (DDOS) and other types of attack. Internet-of-Things (IoT) or Smart Devices often use a Linux operating system to run their service. These are often not patched regularly, if at all, making them a target for this type of attack. Cloud service providers also often use Linux based operating systems.

What’s the risk to me or my business?

While IoT/Smart Devices are normally associated with home use, there has been an increase of their usage in business locations. As these devices are often not as well supported by the manufacturer for security updates, and use internet connectivity for function, they are a prime target for attackers. Once a device has been compromised and added to a botnet, it could be used to bring targeted services down via a DDOS attack or could be used to compromise other devices through brute force attacks.

What can I do?

It is important to keep all devices and systems used updated to patch vulnerabilities which enable the attacks described above to take place. It is also important to have Anti-Virus and endpoint management enabled on these devices where supported. IoT/Smart Devices pose their own challenge with this, as it is often not immediately clear who is responsible for updating the device (the vendor or user), and if security updates will be provided by the vendor. It is also not always possible for services such as Anti-Virus and endpoint management to be installed on these devices.

The following list are good practice points for mitigating the risk that IoT/Smart devices pose:

1.       Separation: Ensure that IoT/Smart devices do not sit on the same network as corporate devices. This layer of separation may be logical using network technologies such as VLANs with access control lists, or physical separation with different network infrastructure for the devices. This will help to prevent a compromised device from being used to gain access to corporate systems.

2.       Inventory: Take inventory and track what IoT/Smart devices are in use, with justification on their function. It is important to keep track of support information for these devices to establish if updates are still being published by the manufacturer, and when it is a good time to replace the devices if updates are no longer supported.

3.       Updates: While most IoT/Smart devices will automatically update when an update is published by the vendor, this is not always the case. It is important to check how frequently updates are applied to the devices, and if this is something which needs to be done manually by the device administrator. At end of manufacturer support for updates, it is important to consider replacing the device.

4.       Monitoring: It is important to monitor the activity of a IoT device, to establish a baseline on expected connectivity for the service it provides. This can then be used to provide alerts for anomalous activity outside of this baseline as an indicator of compromise, making it quick to lock down and remove a device from the network.

5.       Physical Protection: Take steps to physically protect the IoT device from tampering. These devices may contain USB ports designed for delivering updates or debugging errors, but these ports could also potentially be used to install malware.

6.       Account Protection: Ensure that the accounts used to access and administer the devices are appropriately secured, following the relevant corporate Identity and Access Management policies and Password policies. These accounts often allow access to the device via the internet, which if compromised could be a potential route into the network bypassing boundary perimeters.

Technical Summary

The specific attack identified by Microsoft is a Linux Trojan named XorDdos. This is not new malware and was originally discovered in 2014. Research shows that once compromised, these devices are often infected with additional malware used for different purposes.

Further technical details can be found here: Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog. Further information on IoT best practices can be found here: Internet of Things (IoT) security best practices | Microsoft Docs, Code of Practice for consumer IoT security - GOV.UK (www.gov.uk), Ten best practices for securing the Internet of Things in your organization | ZDNet

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity