AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.

Sierra Wireless

Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.

“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.

“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”

ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.

Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.

Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.

Help Net Security

A new type of stealth malware called USB Thief can reportedly infect air-gapped systems without leaving any signs...

behind. How does USB Thief work and what, if anything, can enterprises do to mitigate this attack?

USB Thief is a new type of malware discovered by ESET. Little is known about the malware because only part of it has been identified and analyzed. ESET explains how USB Thief uses multiple stages in its attacks on air-gapped systems, has the ability to encrypt itself and limits where it can run to prevent analysis. The target of the attack appears to be stealing data from the infected systems.

ESET stated in its blog post that USB Thief leaves no evidence when it has been used. The USB malware does not save any files on the local system. Enterprises have several options to mitigate this attack. They should assume targeted malware will bypass whatever antimalware tools in place and have defense-in-depth controls to monitor and investigate potentially suspicious activity. Windows has built-in functionality for logging in the event log each time a USB device is inserted into a system. An enterprise could then monitor the logs for any time a USB device is inserted and respond accordingly. Windows has functionality to record any time a file is accessed on the system and log that event. Windows can log all files executed on the local system, but it is unclear how the USB Thief malware would show up in the event log when the dynamic link library (DLL) was injected into the targeted executable. All of this data would need to be monitored and analyzed by the enterprise, so that if potentially suspicious events were logged, the enterprise could send an incident response team or investigate the system for suspicious activity.

For systems in high security areas, USB drives can be disabled or have the capability to execute files disabled, which could also prevent this attack. But disabling USB drives might not be possible on general use systems because of the limitations on functionality. Some host-based intrusion detection systems, antimalware, whitelisting or other third-party endpoint security tools also have similar functionality for logging or controlling access to USB drives and files accessed on the system.

Next Steps

Find out the best practices for implementing an air-gapped enterprise network

Learn how to mitigate data theft from USB devices

Read about the new features on Windows Defender Advanced Threat Protection

This was first published in August 2016

Dig Deeper on Network Intrusion Detection (IDS)

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

Related Q&A from Nick Lewis

Is the BREACH attack update a threat to Gmail security?

The BREACH attack has been updated to perform faster data theft. Expert Nick Lewis explains the differences in this attack and the threat level for ...continue reading

How does the new Stagefright exploit Metaphor conduct an ASLR bypass?

A new Stagefright exploit called Metaphor has been released. Expert Nick Lewis explains its ability to do an ASLR bypass, and what it means for ...continue reading

How does Locky ransomware use DGA in its attacks?

Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

SearchSecurity: Security Wire Daily News