Bricking IoT devices made waves recently with the birth of what has been dubbed the “Silex” malware, which seemingly rendered more than 2,000 devices useless in a matter of hours. But what’s worse is that its maker has plans to enhance his creation to make even more people suffer. And with more than 26 billion connected devices worldwide to potentially infect, I’d say the 14-year-old threat actor could make life difficult for billions of users who can’t live without their IoT devices worldwide.
Fortunately for all of us, cybersecurity researchers and law enforcement agents ever on the lookout for bad guys are hot after the cybercriminal’s trail. Let’s take a look at just how they traced the threat back to its source.
How Silex Works
The first thing cybersecurity pros do to trace an attack’s source is to look at the threat itself, in this case, Silex.
Silex bricks an infected IoT device by destroying its storage, disabling its firewall, and removing its network configuration, thus stopping it from functioning. Should victims want to regain device functionality, they’d have to reinstall its firmware, which is hard for nontechnical users to do. And so, most would likely end up just throwing their bricked devices away and buying new ones. This, however, is not guaranteed to prevent them from becoming a Silex victim again, especially if they use default or weak passwords.
Cybersecurity researchers trailing after the actor known as “Light Leafon” set up honeypots to get Silex samples. These were then reverse-engineered for analysis, detection, and protection. The analysis results allowed them to get access to Light Leafon’s command-and-control (C&C) server, which led them to the actor behind the attack who divulged not only details on his past online misdeeds, but also his future plans for Silex. (Note that details on any server can be found on WHOIS records that come in WHOIS database download packages.)
How C&C Server Data Can Be Used to Block Silex
In Silex’s case, security companies blocked access to and from the identified C&C server (which was hosted in Iran) using its IP address to protect their customers. But what if you don’t use a security solution on your IoT device or if Silex bypassed your software? Are you doomed to suffer? I wouldn’t say so. But you do need to take some precautionary steps such as using strong passwords on any connected device or system and installing a reliable security solution. Keep the solution patched to get the most out of the shield that it offers. And if, by any chance, your security provider doesn’t protect against a threat, I’d suggest taking a more proactive stance to threat defense.
You can block access to and from known malicious and related suspicious-looking domains using a comprehensive and fairly accurate WHOIS database download. There are tons of such products to choose from online but here’s a guide on how to pick the best one.
In this particular case, you can go a step further and find all domains and subdomains related to the C&C server using a WHOIS database download that contains billions of WHOIS records spanning the entire TLD space. You can monitor these for malicious activities and once you’re sure of their nature, block them from accessing your network and systems or devices. This is especially useful for companies that not only need to protect their own digital assets (websites, web pages, intellectual property, employee database, and other confidential and business-critical information), but also the personal information and safety of their partners, clients, customers, and other stakeholders.
Enhancing your security posture costs less than paying the price for succumbing to online threats. That said, to avoid the dire consequences that threats like Silex brings, take a more proactive stance to safeguarding your devices by using all available resources at your disposal.