The Persirai IoT botnet, which targets IP cameras, arrives hot on the heels of Mirai and highlights the growing threat of IoT botnets.


Researchers at Trend Micro have discovered a new Internet of Things (IoT) botnet that leaves than 120,000 Internet Protocol (IP) cameras vulnerable to attack.

The botnet, dubbed Persirai, was discovered targeting more than 1,000 different models of IP cameras. Persirai hits IoT devices a few months after the Mirai botnet, which wreaked havoc by compromising DVRs and CCTV cameras to fuel a massive DDoS attack in October 2016.

The researchers uncovered Persirai when they found four command and control (C&C) servers and explored the vulnerabilities associated with them, explains Jon Clay, global director of threat communications at Trend Micro.

In analyzing the malware, they found it was targeting IP cameras. Using the Shodan tool, they spotted more than 120,000 devices exposed on the public Internet. IP cameras are visible targets for IoT malware because they usually use the Universal Plug and Play (UPnP) open network protocolsThe most notable difference between Mirai and Persirai is that Mirai used brute-force login attempts to steal credentials, and Persirai uses a zero-day vulnerability made public months ago. Attackers exploiting this vulnerability can get the password file from the user, which gives them access to the device.

After they get into the victim camera, the attacker can use it to perform a DDoS attack on other computers with User Datagram Protocol (UDP) floods, as described on the Trend Micro blog. The threat actor can provide an IP address in the port where they want to launch the DDoS attempt, and target any IP in the world.

The compromised camera can be used to discover other victims, which can be infected using the same zero-day vulnerability. From there, they can continue stealing password files and securing the ability to perform command injections and continue the spread of malicious code.

Researchers found affected IP cameras report to C&C servers using the .IR country code, which is managed by an Iranian research institute. They also discovered special Persian characters used by the malware author. However, this does not indicate the attacker is Iranian.

Clay says the use of this zero-day vulnerability indicates Persirai will continue to be a threat. Interestingly, the malware erases itself once the target machine has been infected, and will only run in memory. This makes it tougher to detect code once it's gone.


Security experts expressed alarm Friday over a fast-moving wave of cyberattacks around the world that appeared to exploit a flaw exposed in documents leaked from the US National Security Agency.

The attacks came in the form of ransomware, a technique used by hackers that locks a user's files unless they pay the attackers in bitcoin.

The scope of the attacks was not immediately clear, amid varying estimates from security researchers. But the malware was linked to attacks on hospitals in Britain as well as the Spanish telecom giant Telefonica and was also spreading in other countries.

The malware's name is WCry, but analysts were also using variants such as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r.

Microsoft released a security patch earlier this year for the flaw, but many systems have yet to be updated, researchers said.

Researcher Costin Raiu of the Russian-based security firm Kaspersky said in a tweet, "So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast."

Jakub Kroustek of Avast said on Twitter the security firm had detected "36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge."

Kaspersky said the malware was released in April by a hacking group called Shadow Brokers which claimed to have discovered the flaw from the NSA.

In the United States the package delivery giant Fedex acknowledged it was hit by malware after one researcher cited the company as a target.

"Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware," the company said in a statement.

"We are implementing remediation steps as quickly as possible."


Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain’s public health system to send patients away, freezing computers at Russia’s Interior Ministry and wreaking havoc on tens of thousands of computers elsewhere.

The attacks amounted to an audacious global blackmail attempt spread by the internet and underscored the vulnerabilities of the digital age.

Transmitted via email, the malicious software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met.

By late Friday the attacks had spread to more than 74 countries, according to security firms tracking the spread. Kaspersky Lab, a Russian cybersecurity firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa.

The attacks appeared to be the largest ransomware assault on record, but the scope of the damage was hard to measure. It was not clear if victims were paying the ransom, which began at about $300 to unlock individual computers, or even if those who did pay would regain access to their data.



As long as computers have been in existence, there have been people trying to hack them. As technology has evolved and improved, so has the advancements for keeping cyberattacks at bay. But of course, as technology gets smarter, so do the hackers. For years, there has been a ceaseless cycle of organizations finding new ways to secure their data, while hackers continue to find ways to break in and access it.

Cybercriminals, or the “bad” hackers, hack because it’s profitable. A recent report showed that 72 percent of hackers are financially motivated. That means that if the economic incentives were minimized, many may find that it is no longer worthwhile to attempt a cyberattack. Of course, there are many nation state attackers and “hacktivists” who choose to hack for other, non-financial reasons. But for the large majority of cybercriminals attempting to make a buck, it’s important to find ways to deter these criminals from putting forth the effort to attack in the first place. 

Rather than focusing our efforts on stopping cyberattacks, what if we were to instead turn our focus to stopping the attackers themselves from having the incentive to attack in the first place? Here are a few ways to lessen these incentives in an effort to stop cybercrime at the source.

Make examples out of hackers. Hacking is unlike many other forms of crime in that it can entirely be done from the safety of your own home, behind the confines of a computer screen. The lack of public exposure leads many cybercriminals to believe they are above the law or otherwise safe from prosecution. Adding to this issue is the fact that many of these attackers live in countries that don’t have extradition treaties with the United States and their local governments may tolerate a certain amount of attacks. 

However, when law enforcement makes a high-profile arrest or indictment, such as the recent accusation of the parties responsible for the 2014 Yahoo hack, it can serve as a harsh reminder to others that they too could be subject to criminal prosecution. It is also promising to see an increase in coordination between international law enforcement entities to stop attacks, such as the 2016 arrest of the ringleader of a global scamming network that was led by Interpol and Nigeria’s anti-fraud agency. These examples further indicate that the old concept of being anonymous and unable to be caught is no longer applicable when cybercriminals are on the cover of news articles or behind bars. This reminder may be enough to dissuade hackers from attempting similar crimes.

Make hacking more costly. Hacking can be expensive, time-consuming work. Many attackers are put off by the possibility that they may spend countless hours of their lives developing a singular botnet or malicious website, only to have it stopped immediately. At the ecosystem level, the continued prevalence of taking down botnets and disrupting hacking organizations is a strong deterrence for those trying to exploit these vulnerabilities. Rebuilding servers requires time, effort and money for cybercriminals, many of whom may no longer wish to put in the level of work that it would take to get their activities back up and running. Hence there is usually a lot of leveraging of botnets that have already had a least one successful attack through repeat attacks at different sites or small modifications to it.

While it’s certainly plausible that more attacks may come in their place, the disruption could be significant enough to slow the hackers down and make their chosen line of work more costly. By stopping these activities in their tracks, especially those working on a large scale, it could discourage other hackers from developing similar tools, or repeating their previous attacks. As an example, there are efforts underway to do network-level botnet command and control infiltration.

Harden infrastructure. A common practice among cybercriminals is a reconnaissance phase, in which hackers do broad scans for systems that appear to be vulnerable. Implementing strong safeguards to make your organization appear secure is a key way to deter the economically-minded hackers who are looking for a quick payday. If you have strong security practices in place, you will look like a much less attractive target to the cybercriminals, who will likely choose to focus their efforts elsewhere in the hopes of targeting a more easily accessible option. Hardening includes efforts such as being diligent in upgrading software and hardware patches for known Common Vulnerabilities and Exposures (CVEs).

De-value data. Many hackers these days choose to focus their efforts on accumulating data that may be useful down the road – whether to exploit, sell or otherwise leverage the information they obtained through illegal means. However, if the data they are looking to acquire becomes much less valuable, they won’t be as motivated to acquire it.

For example, the payments industry has started cutting down on card-present credit card fraud with the introduction of EMV chips. Each time an EMV card is used for payment, the chip in the card creates a unique transaction code that cannot be used again. This means that if a hacker were to steal the chip information from a specific point of sale terminal, that transaction number would not be able to be used again, making it useless to attackers. This has made credit card information much less valuable to acquire, as it is almost impossible to reuse the information.

Similarly, two-factor authentication has made passwords less of a target for hackers – without the second authentication method, such as an individual’s cell phone, having a user’s password is virtually useless. Identifying methods such as these to lessen the allure of certain types of data is a great way to deter hackers from targeting your valuable information.

While there is no singular solution for stopping hackers in their tracks, by implementing a few of these measures, we can work to put an end to the real incentives that exist for hackers today. By removing the allure of hacking, we can hopefully incentivize cybercriminals to instead use their skills in a positive way, to benefit not only themselves but also the greater good.