Companies have been adding internet of things (IoT) devices to their networks over the past few years, often increasing their exposure on the internet. This has led to a rise in botnets that specialize in exploiting insecure configurations and vulnerabilities to take control of network-attached storage boxes, surveillance cameras, digital video records and more recently, video conferencing systems.
In August, researchers from IoT security startup WootCloud discovered a botnet dubbed OMNI that was infecting business video conferencing systems made by Polycom. Since then, the company has seen three additional botnets targeting the same type of systems in addition to other Linux-based embedded devices.
The three new botnets that target Polycom HDX series endpoints are called Bushido, Hades and Yowai and are based on the Mirai botnet whose source code was leaked in 2016. Mirai successfully infected hundreds of thousands of IoT devices and was used to launch some of the largest distributed denial-of-service (DDoS) attacks in history. It spread primarily via Telnet connections in a worm-like manner by taking advantage of the fact that many users don’t change the default administrative credentials on their smart devices.
The original Mirai botnet is no longer active, but its source code has been used as the base for at least 13 other botnets, each of them adding improvements and additional infection methods.
Bushido, Hades and Yowai also spread via Telnet by using brute-force password guessing techniques to access Polycom HDX and other devices. However, the exploitation of vulnerabilities in the firmware or administration interfaces is also a possible scenario, according to the WootCloud researchers.
Polycom takes action against the botnet threat
In fact, in an advisory released today, Polycom warns customers that Polycom HDX endpoints “running software versions older than 3.1.13 contain security vulnerabilities that have been previously listed on the Polycom Security Center” and notes …