nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Huge DDoS attacks are about to get bigger: Mirai bots infect Sierra Wireless gateways

Default password in cellular modem firmware exploited

By Iain Thomson, 14 Oct 2016

Sierra Wireless cellular modems are being infected by the Mirai botnet malware used to smash systems offline.

Mirai commandeers web-connected cameras, sensors and other Internet of Things (IoT) devices using the default factory-set login passwords in their firmware. It has been fingered for unleashing the largest DDoS attack ever, generating a 620Gbps stream against the website of cyber-crime blogger Brian Krebs.

Now US-CERT has issued an alert that cellular gateways are the next target. Five Sierra Wireless modems are named in the advisory – the LS300, GX400, GX/ES440, GX/ES450, and RV50 – and all are potentially easy meat to Mirai.

The software nasty connects to the device from across the network or internet and gains control if the modem is still using its common default factory-set password. If successful, it copies itself onto the freshly hijacked system and starts looking for its next victims – and given it's a cellular modem, there will be other equipment connected to it.

"Once the malware is running on the gateway, it deletes itself and resides only in memory," the advisory states.

"The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a DDoS attack on specified targets."

If you're worried about being infected, check:

  • Port 23, which is used to scan for vulnerable systems.
  • Command and control traffic and outbound DDoS traffic emanating from Port 48101 – if an attack is going on there'll be a lot of it.

Sierra has acknowledged the problems and confirmed that Mirai infections have been seen in the wild. It recommends taking the devices offline, rebooting them to wipe the malware from memory, and then changing the passwords away from the default directly or using the AirLink Management Service.

What's worrying about this is that the malware writers are now targeting gateways, and apparently having some success. Where Mirai's controllers have gone, others will follow – and a full scale infection of this kind of kit could dramatically increase the power and scope of DDoS attacks in the future.

Sleep tight. And, for goodness sake, never use a default password. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing