Rewterz Threat Alert – KmsdBot Malware Evolves to Target IoT Devices with Enhanced Abilities – Active IOCs

Severity

High

Analysis Summary

An updated version of a malware botnet named KmsdBot is now focusing on attacking Internet of Things (IoT) devices, demonstrating an expansion in its capabilities and potential targets. This new version of KmsdBot includes additional features, such as support for Telnet scanning and compatibility with more CPU architectures. This information was revealed by Akamai security researcher Larry W. Cashdollar in an analysis released recently.

The revised KmsdBot has been active since July 16, 2023. This update comes a few months after it was discovered that the botnet was being offered as a service for distributed denial-of-service (DDoS) attacks, highlighting its continued relevance and effectiveness in real-world cyberattacks.

The origins of KmsdBot can be traced back to November 2022 when it was initially documented by a web infrastructure and security company. Originally designed to target private gaming servers and cloud hosting providers, the malware has since expanded its focus to include targets like Romanian government websites and Spanish educational sites.

The primary method of attack employed by KmsdBot involves scanning random IP addresses for open SSH ports and then using a list of passwords from a server controlled by the threat actor to brute-force its way into the systems. The updated version not only retains this SSH scanning capability but also introduces Telnet scanning. The Telnet scanner functions by generating random IP addresses and attempting to connect to port 23 on those addresses. Unlike a basic connection attempt, the Telnet scanner verifies the presence of data in the receiving buffer.

The attack via Telnet involves downloading a text file named “telnet.txt.” This file contains a list of commonly used weak passwords and their corresponding combinations, primarily targeting IoT devices with unchanged default credentials.

Cashdollar, the researcher, highlights the ongoing relevance of KmsdBot’s activities, emphasizing the continued prevalence and vulnerability of IoT devices on the internet. This makes them appealing targets for creating a network of compromised systems. The addition of Telnet scanning capabilities represents an expansion in the botnet’s attack surface, enabling it to potentially target a broader array of devices. Furthermore, the malware’s evolution, including the incorporation of support for more CPU architectures, poses a persistent and growing threat to the security of internet-connected devices.

Impact

• Services Disruption
• Financial Loss
• Reputational Damage

Indicators of Compromise

MD5

• e4f9737b54a64b707c308c6da1492ad6
• 56b621c794cc3f808959604de397ce88
• 7f743dd5cacd0720f91d82671227f388
• 8f5c7bc09df0e6ede20c3697abf635e0
• ff9873cb3b7390c1c9191303d0f101f5
• 6685095bd788bca5187611059f857f86

SHA-256

• 66e0f3674a66647d5a9e23f47f889d4e3ad9b4a66db8f3def48d4675374d12f7
• 718fc249bcd6bc37ad229fb2d8c4037dc8dc8f4555d01934266d1a0c17d676cf
• 1f66675d2102e5d4ac89a239f9022c48b3bf23fe92dadb832d84e0eac6e476d6
• 50afbf471a92acd1a0a6a2ffe199a52881eb80f683d95273302506194b2cd6ae
• 812133033ba969731b66c63d5468556e42048bad396ef1026b5a91dda98bc289
• 542791cf2dde1f449629b03ef95d3c2e0b2f98b1143d619232620d7c9459706c

SHA-1

• 60038ae3806f759711ad151b762640b53e3503cd
• b2cbcf098c6d9121d7a3f563e3365ffe530141ca
• 7028c7c941708c11ed57428a59123d4f4a11a064
• ea509f3b420d78e881b38701ebfb0f06f271003b
• 43031997a1a2b45d35eac9f5ee8afd3c82f6b3f9
• 9e9d502965e421eea0a8a12a56402ad51e2eefe6

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• One of the primary methods used by the malware is exploiting default or weak credentials. Users should always change default usernames and passwords to strong, unique ones on all IoT devices as soon as they are set up.
• Ensure that all IoT devices have the latest firmware and software updates installed. Manufacturers often release updates to address security vulnerabilities. Regularly check for updates and apply them promptly.
• Separate IoT devices from critical business or personal networks through network segmentation. This limits the potential impact of a compromised IoT device on other sensitive systems.
• Utilize firewalls and intrusion detection systems (IDS) to monitor network traffic and detect unusual or malicious activities. These systems can help identify and block unauthorized access attempts.
• Disable any unnecessary services or protocols on IoT devices. If a service is not actively needed, it’s best to turn it off to reduce potential attack vectors.
• Implement strong authentication mechanisms, such as multi-factor authentication (MFA), where possible.
• Employ behavioral analytics to detect anomalies in device behavior. This can help identify compromised devices based on unusual patterns of activity.
• Continuously monitor network traffic and device behavior for signs of compromise. Detecting and responding to threats early can minimize potential damage.
• Enforce strong password policies for IoT devices. Require passwords to be of a certain length, complexity, and changed periodically.
• Critical IoT devices that control essential operations should be isolated from the public internet. Use virtual private networks (VPNs) or other secure means to access them remotely.
• Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in IoT devices and their configurations.