Companies have been adding internet of things (IoT) devices to their networks over the past few years, often increasing their exposure on the internet. This has led to a rise in botnets that specialize in exploiting insecure configurations and vulnerabilities to take control of network-attached storage boxes, surveillance cameras, digital video records and more recently, video conferencing systems.
In August, researchers from IoT security start-up WootCloud discovered a botnet dubbed OMNI that was infecting business video conferencing systems made by Polycom. Since then, the company has seen three additional botnets targeting the same type of systems in addition to other Linux-based embedded devices.
The three new botnets that target Polycom HDX series endpoints are called Bushido, Hades and Yowai and are based the Mirai botnet whose source code was leaked in 2016. Mirai successfully infected hundreds of thousands of IoT devices and was used to launch some of the largest distributed denial-of-service (DDoS) attacks in history. It spread primarily via Telnet connections in a worm-like manner by taking advantage that many users don't change the default administrative credentials on their smart devices.
The original Mirai botnet is no longer active, but its source code has been used as the base for at least 13 other botnets, each of them adding improvements and additional infection methods.
Bushido, Hades and Yowai also spread via Telnet by using brute-force password guessing techniques to access Polycom HDX and other devices. However, the exploitation of vulnerabilities in the firmware or administration interfaces is also a possible scenario, according to the WootCloud researchers.
Polycom takes action against the botnet threat
In fact, in an advisory released today, Polycom warns customers that Polycom HDX endpoints "running software versions older than 3.1.13 contain security vulnerabilities that have been previously listed on the Polycom Security Center" and notes that "these security vulnerabilities may render HDX endpoints vulnerable to takeover by a botnet."
The company also issued an advisory in January warning customers about "persistent cyber threats" that target unified communications devices deployed in an insecure manner or for which the default passwords or PINs haven't been changed. The company recommends that users follow its security best practices for deploying such devices and firewalling them from the Internet.
Like many other embedded devices, Polycom HDX systems run a variant of Linux and have the Busybox toolkit installed. This package contains lightweight versions of the most common Linux utilities and provides attackers with the ability to perform many malicious actions without the need to download and execute binaries compiled for a specific embedded CPU architecture like ARM or MIPS.
"Presence of these binaries on the device itself provides an attacker with a capability to launch operations stealthily without downloading additional binaries from the C&C server," the WootCloud researchers said in a report shared with CSO. "In particular, these three bots extensively use the BusyBox, Wget and other similar binaries for performing a different set of operations."
The compromised Polycom devices are used to scan for and hack into other systems via Telnet by using default or weak credentials, as well as to launch DDoS attacks since most of these botnets are used to sell DDoS services on the underground markets. WootCloud has also observed the compromised devices being used as proxies to route and hide malicious communications with command-and-control servers.
Only one expoited device compromises the entire network
In a phone interview, the WootCloud researchers said that thousands of Polycom HDX devices are exposed to the Internet, but many more are deployed inside corporate networks. It only takes one exposed and misconfigured system to be compromised to spread the infection internally.
In fact, the researchers have seen Polycom HDX deployments where video conferencing endpoints at companies' different offices were linked to each other. This means that a possible infection at one location could also spread to remote branches around the world.
The smart connected devices deployed by companies on their networks have sufficient computing power to be attractive to hackers and generally run open-source software, so it requires no specialized knowledge to abuse them. This means that attackers are constantly looking to exploit any vulnerabilities or misconfigurations they can find in such devices and, unfortunately, many organizations lack the visibility to discover such compromises.
A compromised IoT device on a corporate network can easily be used by attackers as a starting point for lateral movement and as a launchpad for attacks against other internal systems like servers and workstations that process sensitive data. The WootCloud researchers said that it could even be possible for attackers to spy on conversations going through the Polycom video conferencing devices if they wanted to.
There is a general lack of knowledge in small- to medium-sized companies when it comes to configuring smart connected devices, the researchers told CSO. People see them for their primary function, like video conferencing, and don't understand the other risks they pose or how they can become infected, so the challenge is to get that information out to users and provide them with the tools and solutions they need for gaining visibility into what these devices do on their networks, they said.