KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

Cyber Security Threat Summary:
“An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it's being actively maintained indicates its effectiveness in real-world attacks. KmsdBot was first documented by the web infrastructure and security company in November 2022. It's mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites. The malware is designed to scan random IP addresses for open SSH ports and brute-force the system with a password list downloaded from an actor-controlled server. The new updates incorporate Telnet scanning as well as allow it to cover more CPU architectures commonly found in IoT devices” (The Hacker News, 2023).

Security Officer Comments:
Researchers say the new Telnet attacks are carried out by downloading a text file containing a list of commonly used passwords and their combinations for a wide range of applications and testing them against IoT devices which oftentimes still have default credentials. The recent addition of Telnet scanning to KmsdBot indicates that operators are looking to expand their list of targets. Moreover, the support for additional CPU architectures, means that more IoT devices are at risk of being compromised.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminals will continue to target the ever-growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.