26 June 2019

New destructive Silex malware bricks thousands of IoT-devices in just a few hours

New destructive Silex malware bricks thousands of IoT-devices in just a few hours

Security researchers have warned about a new strain of malware called Silex designed to wipe the firmware of IoT devices rendering them completely unusable. Initially attacks were spotted by the Akamai researcher Larry Cashdollar, who said that the malware managed to brick over 2,000 IoT devices in the span of just a few hours and the attacks are still ongoing.

According to Cashdollar, Silex malware trashes the storage of the infected devices by writing random data from /dev/random to any mounted storage it finds, drops firewall rules, wipes network configurations and flushes all iptables entries adding one that blocks all connections before halting the system. The only way to recover the bricked device is to manually reinstall the firmware.

To compromise the device the malware uses a list of known default credentials for IoT devices. It targets any Unix-like system with default login credentials, including Linux servers with open Telnet ports that use weak credentials, explained Cashdollar. He said that the IP address behind the observed attacks is hosted on a VPS server owned by novinvps.com, which is operated out of Iran. This IP has already been added to the URLhaus blacklist.

Another researcher, Ankit Anubhav from NewSky Security has managed to trace the operator behind the malware. Anubhav believes that Silex author is a 14-year-old teenager from Iran, who is known online under the pseudonym of Light Leafon. The same guy has also created the HITO IoT botnet.

In conversation with the researcher Light Leafon explained that initially the Silex malware was created as joke, but now has become a full-scale project. In the future he plans to add more capabilities to the malware, including the ability to log into IoT devices via SSH and a list of exploits to compromise the devices by exploiting vulnerabilities in them.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019