Security researchers have warned about a new strain of malware called Silex designed to wipe the firmware of IoT devices rendering them completely unusable. Initially attacks were spotted by the Akamai researcher Larry Cashdollar, who said that the malware managed to brick over 2,000 IoT devices in the span of just a few hours and the attacks are still ongoing.
According to Cashdollar, Silex malware trashes the storage of the infected devices by writing random data from /dev/random to any mounted storage it finds, drops firewall rules, wipes network configurations and flushes all iptables entries adding one that blocks all connections before halting the system. The only way to recover the bricked device is to manually reinstall the firmware.
To compromise the device the malware uses a list of known default credentials for IoT devices. It targets any Unix-like system with default login credentials, including Linux servers with open Telnet ports that use weak credentials, explained Cashdollar. He said that the IP address behind the observed attacks is hosted on a VPS server owned by novinvps.com, which is operated out of Iran. This IP has already been added to the URLhaus blacklist.
Another researcher, Ankit Anubhav from NewSky Security has managed to trace the operator behind the malware. Anubhav believes that Silex author is a 14-year-old teenager from Iran, who is known online under the pseudonym of Light Leafon. The same guy has also created the HITO IoT botnet.
In conversation with the researcher Light Leafon explained that initially the Silex malware was created as joke, but now has become a full-scale project. In the future he plans to add more capabilities to the malware, including the ability to log into IoT devices via SSH and a list of exploits to compromise the devices by exploiting vulnerabilities in them.