The Internet of Things (IoT) landscape is under a new threat as cybercriminals have revamped a botnet malware, known as KmsdBot. The evolved version of the malware now possesses the capability to target more devices than before, reflecting an amplified attack surface and intensifying concerns for digital security.
Larry W. Cashdollar, a security researcher at Akamai, revealed in his analysis this month that the updated KmsdBot binary supports Telnet scanning and facilitates a more comprehensive range of CPU architectures, thereby broadening its potential target base.
The current iteration of KmsdBot was discovered active on July 16, 2023, following its development and usage as a DDoS-as-a-service tool for other threat actors. This ongoing activity of botnet malware points to its effectiveness in executing real-world cyberattacks.
First identified by Akamai in November 2022, KmsdBot's primary purpose was to attack private gaming servers and cloud hosting providers. However, the malware has since shifted its focus, with recent attacks targeting government websites in Romania and educational institutions in Spain.
While the original malware would scan random IP addresses for open SSH ports and then launch a brute-force attack using a password list from the threat actor's server, recent updates have added Telnet scanning into its repertoire. Just like its SSH scanner, the Telnet scanner generates a random IP and attempts to connect to port 23. Cashdollar emphasizes that the Telnet scanner's interface does more than merely check if port 23 is listening or not. Instead, it ensures the receiving buffer contains data.
The Telnet attack is executed using a text file named telnet.txt, which contains a list of frequently used weak passwords and various combinations. The majority of IoT devices make themselves easy targets by retaining default passwords, which the botnet takes full advantage of.
Cashdollar stated, "The ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems."
The KmsdBot’s expansion to include telnet scanning capabilities signifies an expansion in the botnet's attack surface, enabling it to target a diverse range of devices. As the malware continues to evolve to support even more CPU architectures, it presents a persistent and severing threat to the security of all internet-connected devices.
At Darksteel Technologies, we are an Orlando-based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design, and any other information security requirement your business needs. We focus on your cybersecurity, so you don't have to.