A new wave of cyber attacks was discovered by researchers, and this time, the targets are badly secured routers and other Internet-of-Things (IoT) devices. In these attacks, hacked bots are scanning the Internet in search of Linux-based routers and similar devices that aren’t properly protected.

Every device that can be connected to the Internet comes with a default password. The users are expected to change those default login credentials once they get their hands on the device. Those who don’t are now becoming targets of the new wave of attacks. Once the scanning locates a target, it runs a series of debilitating commands to wipe every file on that device, corrupt its storage and sabotages its Internet connection.

Security firm Radware’s researchers have detected over 2,250 PDoS (Permanent Denial Of Service) attacks in only four days. Attacks were aimed at the group of devices that were made available in specially constructed “honeypots”.

These attacks are being conducted by two variations of botnets called BrickerBot.1 and BrickerBot.2. BrickerBot.1’s attacks were traced to multiple origins all over the world, and its attacks were simpler and stopped after some time, even though they were greater in numbers. BrickerBot.2 uses a cloaking technique and its origin cannot be traced. Its attacks are fewer in numbers but more complex and deal more damage. Both bots are designed to brick real life devices with faulty security.

Geo mapped source IPs of BrickerBot.1 / Image Credit: Radware

These attacks resemble those of Mirai, a special botnet whose purpose was to create an army of hacked IoT devices and use them to damage prominent websites through the large usage of DDoS attacks. But when it comes to BrickerBot, its purpose is still unclear.

At first, Radware’s researchers concluded that the point of these attacks was to take over the flawed devices so that they wouldn’t be used by other hackers, but after the discovery of the second bot, this theory was abandoned, and it became clear that the only point of these attacks so far is to destroy everything that can be reached.

When it comes to BrickerBot.1, it’s known that most of its attacks were launched against the devices using BusyBox collection of Unix tools, and the most destruction by BrickerBot.1 was caused from targeting two types of flash storage – MultiMediaCard devices, and Memory Technology Device. Both are known to be used in Internet of Things devices. During the four days, BrickerBot.1 launched 1,895 attacks from all around the world.

BrickerBot.2, on the other hand, is a lot stealthier and meaner. It was discovered in less than an hour after the discovery of the first one, and it targeted a wider variety of storage disks. It was also found on many devices that don’t run BusyBox, and since it uses the Tor anonymity service, it’s IP cannot be tracked back to its source. It targets devices with default passwords, and that limits its reach.

In addition to corrupting the targeted devices, it also deletes all of the data found on it, removes the Internet gateway and causes other types of damage that make the device useless.

Both bots are targeting devices with bad security, therefore, it’s about time the cybercriminals behind these attacks will use these devices to carry a large DDoS attack. If you own an IoT device change its default credentials or getting bricked is only a matter of time.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Ali Raza

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.