A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.
Named Silex, this malware began operating earlier today, about three-four hours before this article’s publication.
The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.
Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.
In fact the software does not want to take the devices over, in order to use them for DDoS attacks, but rather wants them to malfunction and shut down.
Anyone who says that today’s youth is generally weird is wrong in 99% of cases and should be ashamed to have become such an embarrassing old person. The remaining 1% is reserved for kids like “Light Leafon”. The 14-year-old hacker, who developed Silex under this pseudonym (according to most sources alone) and who has made his first appearance through the creatorship of the botnet “HITO”, is quite happy with his achievement and announced that he wants to continue working on the malware until it has the functionality of Brickerbot. In fury and confusion, the IoT users of this world have already launched initiatives on the Internet to find this boy a girlfriend. Which sounds like an appropriate strategy.
According to reports, Silex destroyed over two tousand devices in a matter of hours. The malware was discovered by security researcher Larry Cashdollar. Silex acts similarly to Brickerbot: it tries to log on to the IoT devices with standard access data. If it succeeds, it starts overwriting the drives with random data. In addition, it deletes the firewall rules and then turns off the device. In that way the IoT devices are made unusable. For the normal user, it looks like a hardware defect (which makes it difficult to determine the total number of affected devices). Poorly secured Linux servers could also become victims of Silex, as long as they can be reached via Telnet access with default access data.
At the beginning, there were many indications that the distribution took place via an Iranian server, but this is no longer certain. Light Leafon has indicated that he intends to add further features, such as attack options via SSH and the use of exploits instead of default access data. This would negate the currently effective protection measures, such as closing the Telnet port and changing the manufacturer’s default credentials.
The IP address of the Silex command and control server is now blacklisted by URLhaus. A sample of Silex is available at VirusTotal.