Recent findings highlight an advanced version of the botnet malware, KmsdBot, which has now pivoted its focus onto Internet of Things (IoT) devices. This shift not only diversifies its capabilities but also increases the range of potential targets.
Akamai’s security expert, Larry W. Cashdollar, pointed out in a recent analysis that the malware has integrated new features. “The program now encompasses Telnet scanning and compatibility with an increased number of CPU structures,” says Cashdollar. Source: Akamai’s Security Report
Data shows that the recent version of KmsdBot, identified from July 16, 2023, is still being actively developed and refined. This comes on the heels of the discovery that the botnet has been made available to cybercriminals for DDoS attacks Reference: DDoS Attack Trends. Its ongoing development underscores its potency in live attack scenarios.
KmsdBot was initially recognized by security professionals in November 2022 Historical Analysis. Its original design was to primarily target private game servers and cloud service providers. Interestingly, its scope has now expanded to Romanian governmental and Spanish educational websites.
A distinct feature of the malware is its ability to probe random IP addresses, searching for exposed SSH ports. Once identified, it attempts to infiltrate the system using a list of passwords sourced from a hacker-managed server. The newly released version, however, has incorporated Telnet scanning and increased compatibility with the CPU structures predominantly seen in IoT devices IoT Device Vulnerabilities Report.
Cashdollar elaborates on the Telnet scanner’s function: “The scanner produces a random IP address and tries to connect via port 23. But it doesn’t just detect if port 23 is active. It ensures the receiving buffer holds data.” To execute the Telnet attack, the malware fetches a text file, telnet.txt, that houses a plethora of weak passwords and combinations. This targets the glaring oversight of many IoT devices that are still operating with default login details Reference: IoT Default Passwords Issue.
Cashdollar concludes, “The continued operations of the KmsdBot campaign highlight the persistent vulnerability of IoT devices IoT Security Trends. These devices are tempting for hackers, given their ubiquity and weak security, enabling the creation of a vast network of compromised systems.” He further warns, “With KmsdBot now equipped with Telnet scanning and supporting a broader range of CPU architectures, the cyber threat to our IoT devices has been amplified.”
