Researchers have exposed millions of Linux-based IoT devices infected with BASHLITE malware — Lizard Squad and PoodleCorp have already released Linux-based DDoS tools.
Dubbed Bashlite by researchers; this malware is written in C with the capability to infect IoT devices especially security cameras (surveillance system) and turn them into a DDoS botnet.
If you haven’t heard of Bashlite before that’s because this malware has several other names such as Lizkebab, BASHLITE, Torlus and gafgyt.
Bashlite can brute force a vulnerable device and steal its login credentials and distributes itself on other devices. Researchers further explained that the malware source code was leaked back in 2015 (it has a dozen of variants in 2016) that revealed that its prime target is Linux-based IoT devices. Until now, researchers have found over 1 million devices manufactured by Dahua Technology being infected with Bashlite malware in Brazil, Colombia and Taiwan.
Most of the infected devices are digital video recorder (DVRs) and Dahua tech has already been informed about the issue.
“The security of IoT devices poses a significant threat. Vendors of these devices must work to improve their security to combat this growing threat. However, as a consumer of these devices, you do have options to improve your security. If you have one of these devices, standard security best practices advice applies,” researchers explained.
Lizard Squad and DDoS:
The use of IoT devices as a botnet is not something new. Previously, Lizard Squad released a Linux-based DDoS tool LizardStresser which has been used to hack CCTV devices and use them to target high profile targets flooding them with as much as 400Gbps of data. The attacks were aimed mostly at gaming platforms, Brazilian financial institutions, ISPs, and government institutions.
PoodleCorp and DDoS:
PoodleCorp is also promoting their DDoS tool these days and increasingly targeting IoT devices to build botnets to conduct DDoS attacks. The group has quickly made a name by DDoSing several gaming giants including, Pokemon Go, PlayStation, Electronic Arts (EA), Grand Theft Auto, Blizzard and League of Legends
If you are a website owner and receiving DDoS attacks contact DDoS protection firms like Sucuri or Incapsula — If you own a CCTV camera make sure to remove default login and password and use strong login credentials to avoid them from being misused.
More technical details available here on Level3 blog.