[SingCERT] Alert on New Silex Malware on IoT Devices

Published on 27 Jun 2019

Updated on 23 Oct 2019

Background

A new Internet of Things (IoT) malware, dubbed Silex, is affecting IoT devices such as routers and IP cameras with telnet (port 23) service running on its Internet-facing interface.

The malware attempts to gain access to IoT devices by using default and widely-used telnet credentials, and corrupts the device by filling its storage, removing its firewall and network configurations, and halting the device, thus rendering it unusable.

Affected Systems

IoT devices with:

  • Busybox running
  • Telnet listening on port 23
  • Factory default credentials
Impact

A corrupted device is unusable until its firmware is reinstalled.

Recommendations

Systems administrators are advised to change the IoT factory default credentials; and to use a long and random password/passphrase which comprises a mix of uppercase and lowercase letters, numbers, and symbols.

Systems administrators are advised to close the telnet on the Internet-facing network interface.

References

https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/

https://securityaffairs.co/wordpress/87609/iot/silex-malware-bricks-iot-devices.html