Silex Malware

TLP:WHITE


Silex Malware: An Emerging Threat Targeting IoT Devices and Linux Servers


The NTIC Cyber Center assesses with high confidence that the threat actor behind the newly identified Silex malware campaign will expand attacks against vulnerable, exposed, and improperly secured Internet-of-Things (IoT) devices and Linux servers disabling more devices in the days and weeks ahead. Additionally, we assess that IoT devices and Linux servers exposed to the open Internet, secured with weak or default login credentials, and configured with remote access ports such as Telnet and Secure Shell (SSH) enabled remain at risk of this and similar attacks.


On Tuesday, June 25, 2019, an Akamai security researcher identified a new malware campaign targeting IoT devices and “any Unix-like system with default login credentials.” According to cybersecurity news source ZDNet, the malware used in these attacks, dubbed Silex, had already disabled approximately 350 IoT devices by the time it was discovered. An hour after its discovery, the number of devices that Silex disabled increased to 2,000. Currently, Silex only targets IoT devices and Linux systems that have Telnet enabled and its associated port, TCP port 23, exposed to the open Internet. The 14-year-old threat actor reportedly responsible for these attacks told ZDNet that he or she plans to “develop the malware further and add even more destructive functions.” These plans include adding SSH login capabilities along with incorporating vulnerability detection and exploitation functionality into the malware’s coding. The threat actor’s goal is to rework the malware to fully mimic the functionality of BrickerBot, a malware variant that reportedly disabled more than 10 million IoT devices in 2017.


According to the researcher who discovered the malware campaign, Silex works by “trashing an IoT device’s storage, dropping firewall rules, removing the network configuration, and then halting the device,” effectively wiping the infected devices’ firmware. It uses known default credentials to log into IoT devices and includes code that targets Linux servers configured with open Telnet ports secured with weak or commonly used credentials. To recover the functionality of affected IoT devices, administrators need to manually reinstall the firmware. There is currently no known motive for these attacks, although the threat actor claiming responsibility for Silex said in a previous interview that he created a similar malware strain “as a joke.”


Recommendations


The NTIC Cyber Center recommends changing all default credentials and using unique, lengthy, and complex passwords to secure IoT devices such as IP cameras, smart TVs, routers, presentation systems, and other Linux-based single-purpose Internet-connected devices. We also recommend placing IoT devices behind a firewall, blocking any unneeded ports that would allow external and unauthorized access, and monitoring networks for suspicious activity. We advise administrators of IoT devices impacted by Silex to download the associated device’s firmware from the manufacturer’s website and reinstall it onto the device, if possible. We also encourage administrators of Linux servers to disable Telnet, block incoming connections to TCP port 23, and secure any necessary instances of SSH using recommendations provided here.


Traffic Light Protocol: WHITE information may be distributed without restriction.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.