New 'Priority' Variant of Demonbot Attacking IoT Devices

Researchers spotted a new variant of Demonbot targeting IoT devices from the self-proclaimed attackers dubbed Priority. This new variant has been found targeting Defeway surveillance cameras.

Latest discovery

This new Demonbot variant is based on Mirai’s code and uses a Hadoop YARN exploit.
  • The latest variant targets ports 5500, 5501, 5502, 5050, and 60001 by using a simple command that uses the MVPower DVR Shell unauthenticated command execution exploit.
  • The attackers are using a single exploit and mostly focusing on port 60001. Experts suspect that other ports are just a diversion; the reason could be that the attackers have a specific goal in mind.
  • In addition to this, the attacker moved from 128[.]199[.]15[.]87 to 64[.]227[.]97[.]145 IP address from where all the attacks originated. The IP addresses are owned by the VPS provider DigitalOcean.

Recent attacks

In recent times, IoT devices have been facing threats from several similar malware.
  • A few days ago, a new botnet dubbed Ttint was found exploiting two zero-day vulnerabilities (including CVE-2020-10987) in Tenda routers.
  • Last month, the Mozi botnet was found actively targeting a large number of IoT devices, including Netgear router, Huawei Router, GPON Routers, D-Link Devices, and other devices from several brands.

Ending notes

IoT devices are still considered as relatively insecure links in the overall technology landscape and require a different set of precautions. Experts advise users to regularly patch all the IoT devices and change the default password with a strong one. Additionally, regularly mapping all the devices on the corporate network and scanning the network for any malicious activities can help protect against such threats.