New Dark_Nexus Botnet Targets IoT Devices

Summary

A new aggressive botnet, dubbed Dark_Nexus by Bitdefender researchers, has been identified targeting various Internet of Things (IoT) devices ranging from ASUS and D-link routers to video recorders. The botnet appears to borrow code from both Mirai and Qbot, though researchers believe that much of its core functions are original. Dark_Nexus was first identified in December 2019 and is frequently updated, with over 30 versions discovered in a three-month period. Additionally, payloads are customized for 12 different CPU architectures and are spread using Telnet credential stuffing and other exploits. A new persistence tactic observed disables the infected device from rebooting by removing restart permissions. Compromised devices could be used in distributed denial-of-service (DDoS) attacks.

Recommendations

The NJCCIC recommends users ensure IoT devices are routinely updated, default passwords are changed, and multi-factor authentication is enabled where available. Additionally, disable Telnet or, if necessary to manage devices, add an access list to routers to prevent unauthorized access. Technical details and IOCs can be found in the Bitdefender whitepaper.