A new variant of the InterPlanetary Storm malware has infected roughly 13,500 machines across 84 different countries and counting, says email security firm Barracuda Networks in their September Threat Spotlight research. The malware, named InterPlanetary Storm, was initially uncovered in May 2019 as a malicious attack designed to target Windows machines.
This new variant, which Barracuda researchers first detected in late August, is now also targeting IoT devices, such as TVs that run on Android operating systems, and Linux-based machines, such as routers with ill-configured SSH service. Essentially, this new variant gains access to machines by running a dictionary attack against SSH server, similar to FritzFrog, another peer-to-peer (p2p) malware.
Access to infected devices
It spreads using SSH brute force and open ADB ports, and it serves malware files to other nodes in the network
It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices. While the function of this malware is not known yet, it’s likely that campaign operators will be able to gain access to infected devices so they can later be used for crypto mining, DDoS, or other large-scale attacks.
Some of the 84 countries which have so far reported cases of the InterPlanetary Storm malware, include: Argentina, Australia, Belgium, Brazil, Canada, France, Germany, India, Spain, the United Kingdom and the United States. It spreads using SSH (Soft Shell) brute force and open ADB ports, and it serves malware files to other nodes in the network. The malware also enables reverse shell and can run bash shell.
Fleming Shi, CTO for Barracuda Networks, comments: “This new variant of malware is extremely infectious and malicious, and it’s very likely that it will spread beyond the 84 countries which have already been impacted. Moving forward, it’s essential that tech users properly configure Secure Shell access on all devices."
"This means using keys instead of passwords, which will make access more secure. Furthermore, deploying a multi-factor authentication enabled VPN connection to a segmented network, instead of granting access to broad IP networks is vital, particularly if users wish to share access to secure shells without exposing the resource on the internet.”