Sierra Wireless is warning customers to change their default access credentials on AirLink gateway products after discovering the wireless products are being compromised by Mirai malware.
Mirai, a malware and botnet combination recently publicized after a 620 Gbps distributed denial-of-service (DDoS) attack on the prominent security blog Krebs on Security, enslaves thousands — if not millions — of vulnerable Internet of Things (IoT) devices, including DVRs, CCTV surveillance cameras, and routers.
Now, it seems the malware’s operators could be scanning the web for Sierra Wireless gateway devices vulnerable to exploit.
On Friday, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory warning that these products are vulnerable to the Linux-based malware and may end up on the malicious code’s current hit list due to the use of default factory credentials, which are easily available online.
Sierra Wireless LS300, GX400, GX/ES440, GX/ES450, and RV50 gateways may be particularly vulnerable to the malware. According to Sierra Wireless, that there have been reports of devices becoming infected due to the use of default credentials within the gateways’ password ACEmanager.
“ICS-CERT would like to emphasize that there is no software or hardware vulnerability being exploited in the Sierra Wireless devices by the Mirai malware,” the advisory reads. “The issue is configuration management of the device upon deployment.”
The communications equipment maker says that once the malware compromises a gateway product, it deletes itself and lives only in memory before scanning for additional vulnerable devices and reporting back to the Mirai command-and-control (C&C) server, which may then enslave the device in future DDoS attacks.
As the Mirai malware source code has been recently released to the public, we may see even more cases of vulnerable IoT and networking devices being used in these kinds of attacks, which can disrupt online services and cost businesses a fortune.
“Currently, the best-known indicator of the malware’s presence is abnormal traffic on Port 23/TCP as it scans for vulnerable devices,” Sierra Wireless notes. “Users may also observe command and control traffic on Port 48101/TCP, and a large amount of outbound traffic if the infected gateway is participating in a DDoS attack.”
Changing default settings and rebooting the gateway should remove any trace of infection. However, if the product continues to use factory credentials, the device will likely become reinfected — and may also place local devices connected to the gateway at risk.
While not every vendor allows you to change default settings on hardware, with emerging attacks utilizing vulnerable home devices on the rise, in any case that you can, you should — not only to improve your own security, but to do your part in reducing the potential size of DDoS attacks on the web.