Overview:
Internet of Things (IoT) devices are targeted by cybercriminals to launch a variety of attacks on the Internet. Cybercriminals prefer to build botnets — which are a collection of compromised machines controlled via centralized command and control (C&C) servers. IoT botnets are on the rise in recent years. Mirai was the most advanced IoT botnet that came to exist. Mirai botnet was also the primary source of launching DDoS against Dyn DNS solution provider.
IoT botnets are formed by compromising IoT devices by exploiting inherent security flaws such as vulnerabilities, weak configurations, insecure authentication, etc. The compromised IoT devices are then used to perform nefarious operations such as Brute-force attacks, Distributed Denial of Service (DDoS) attacks, transforming IoT device into a proxy server and many others.
In this research note, WootCloud detected the presence of OMNI bot (a variant of Mirai) in the Polycom video conferencing systems that were exposed on the Internet. The research has been a collaborative effort between the WootCloud threat research team and the Polycom security team.
Analysis: OMNI Bot Indicators of Compromise
WootCloud performed analysis on the compromised Polycom HDX systems. Generally, these systems have a built-in debug interface that provides information about the activities occurred on the device in the log format. The debug flags have to be enabled in the configuration settings so that the device can log all the messages. Further, WootCloud performed log analysis and forensics on the infected machine to detect threats. A number of Polycom devices were found to be running Omni bot which performed brute-force and password cracking operations from the device via telnet interface.
It has been noticed that the Polycom devices are shipped with binaries such as BusyBox, Wget, and others. Presence of these binaries on the device itself provides an attacker with a capability to launch operations stealthily without downloading additional binaries from the C&C server. Omni bot extensively uses the binaries such as BusyBox, Wget, and others for performing a different set of operations.
OMNI bot brute-force attack is detected via DEBUG logs generated from the compromised Polycom device. The attack is dissected below:
- The OMNI bot triggers the “enable” command
- After that, “system” command is executed
- Once the “system” command is executed, the “sh” command is triggered to obtain the shell access rights so that specific payload can be executed
- After entering the shell with “sh”, The OMNI bot calls its main functions by loading the “/bin/busybox” with OMNI payload as “/bin/busybox/ OMNI”
The communication is highlighted below:
| [Log – Date] 14:49:02 DEBUG avc: pc[0]: uimsg: C: enable[Log – Date] 14:49:02 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 enable[Log – Date] 14:49:03 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 enable 1[Log – Date] 14:49:03 DEBUG avc: pc[0]: api: legacy_api_c_command: enable[Log – Date] 14:49:03 DEBUG avc: pc[0]: standardCmndHandler(…)[Log – Date] 14:49:03 DEBUG avc: pc[0]: legacy_api: legacy_api_c_command succeeded [Log – Date] 14:49:04 DEBUG avc: pc[0]: uimsg: C: system[Log – Date] 14:49:04 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 system[Log – Date] 14:49:04 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 system 1[Log – Date] 14:49:04 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 system[Log – Date] 14:49:04 DEBUG avc: pc[0]: “system” – takes at least one argument [Log – Date] 14:49:05 DEBUG avc: pc[0]: uimsg: C: sh[Log – Date] 14:49:05 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 sh[Log – Date] 14:49:05 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 sh 1[Log – Date] 14:49:06 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 sh [Log – Date] 14:49:06 DEBUG avc: pc[0]: Usage: sh_button <“button” <up|down> | help>[Log – Date] 14:49:06 DEBUG avc: pc[0]: uimsg: C: /bin/busybox OMNI[Log – Date] 14:49:06 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 /bin/busybox OMNI[Log – Date] 14:49:06 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 /bin/busybox OMNI 1[Log – Date] 14:49:06 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 /bin/busybox OMNI [Log – Date] 14:49:09 INFO avc: pc[0]: config: synching filesystem[Log – Date] 14:49:09 INFO avc: pc[0]: config: sync complete 327ms[Log – Date] 14:49:40 DEBUG avc: pc[0]: XCOM:WARNING:remote socket closed [Log – Date] 14:49:40 WARNING avc: pc[0]: appcom: psh session closed socket abruptly[Log – Date] 14:49:40 DEBUG avc: pc[0]: appcom: unregister_api_session 2[Log – Date] 14:49:41 DEBUG avc: pc[0]: uimsg: R: telnet /tmp/apiasynclisteners/psh0[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: allocate_session(fd=106)[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: register_api_session new_session_p=675763d8[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: add_session(session_p:675763d8)[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx[Log – Date] 14:49:41 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 2[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: session 2 registered |
- Once the primary “/bin/busybox/ OMNI” is loaded, it triggers the brute-force attack as explained below:
- A command is executed as “execwithoutecho systemsetting telnet_client_”
- The “execwithoutecho” executes the command without throwing any notification or output via echo.
- The command executed is “telnet_client” which opens connection to remote IP running telnet service
- The “OMNI” bot then uses combination of username and password as strings to launch authentication attempts. In the DEBUG logs presented below, it started with “root:root”, “zlxx:zlxx” as username and password combination.
- A command is executed as “execwithoutecho systemsetting telnet_client_”
The communication logs are shown below:
| [Log – Date] 14:49:41 DEBUG avc: pc[0]: uimsg: E: execwithoutecho systemsetting telnet_client_23 [IP Address Truncated][Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 execwithoutecho systemsetting telnet_client_23 [IP Address Truncated] [Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 execwithoutecho systemsetting telnet_client_23 [IP Address Truncated] [Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: java_api_command succeeded (sess:2)[Log – Date] 14:49:41 DEBUG avc: pc[0]: uimsg: E: execwithoutecho systemsetting telnet_client_23_success True[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 execwithoutecho systemsetting telnet_client_23_success True 1[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 execwithoutecho systemsetting telnet_client_23_success True[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: java_api_command succeeded (sess:2) [Log – Date] 14:49:41 DEBUG avc: pc[0]: uimsg: C: root[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 root[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 root 1[Log – Date] 14:49:41 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 root [Log – Date] 14:49:42 DEBUG avc: pc[0]: uimsg: C: zlxx.[Log – Date] 14:49:42 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 zlxx.[Log – Date] 14:49:42 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 zlxx. 1[Log – Date] 14:49:42 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 zlxx. |
After trying few combinations of username and password, the process is repeated again as shown below:
| [Log – Date] 14:49:43 DEBUG avc: pc[0]: uimsg: C: enable[Log – Date] 14:49:43 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 enable[Log – Date] 14:49:43 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 enable 1[Log – Date] 14:49:43 DEBUG avc: pc[0]: api: legacy_api_c_command: enable[Log – Date] 14:49:43 DEBUG avc: pc[0]: standardCmndHandler(…)[Log – Date] 14:49:43 DEBUG avc: pc[0]: legacy_api: legacy_api_c_command succeeded [Log – Date] 14:49:43 DEBUG avc: pc[0]: uimsg: C: system[Log – Date] 14:49:43 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 system[Log – Date] 14:49:43 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 system 1[Log – Date] 14:49:43 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 system[Log – Date] 14:49:43 DEBUG avc: pc[0]: “system” – takes at least one argument [Log – Date] 14:49:45 DEBUG avc: pc[0]: uimsg: C: sh[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 sh[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 sh 1[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 sh[Log – Date] 14:49:45 DEBUG avc: pc[0]: Usage: sh_button <“button” <up|down> | help> [Log – Date] 14:49:45 DEBUG avc: pc[0]: uimsg: C: /bin/busybox OMNI[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 /bin/busybox OMNI[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 /bin/busybox OMNI 1[Log – Date] 14:49:45 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 /bin/busybox OMNI[Log – Date] 14:50:16 DEBUG avc: pc[0]: uimsg: E: execwithoutecho systemsetting telnet_client_23 [Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 execwithoutecho systemsetting telnet_client_23 [IP Address Truncated] [Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 execwithoutecho systemsetting telnet_client_23 [IP Address Truncated] [Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: java_api_command succeeded (sess:2)[Log – Date] 14:50:57 DEBUG avc: pc[0]: uimsg: E: execwithoutecho systemsetting telnet_client_23_success True[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 execwithoutecho systemsetting telnet_client_23_success True 1[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 execwithoutecho systemsetting telnet_client_23_success True[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: java_api_command succeeded (sess:2)[Log – Date] 14:50:57 DEBUG avc: pc[0]: uimsg: C: adm[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: api_command: pid:1181 2 adm[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: legacy_api_command: 2 adm 1[Log – Date] 14:50:57 DEBUG avc: pc[0]: appcom: java_api_command: pid:1181 2 adm — [Truncated] — |
If the DEBUG logs are dissected in detail, it can be noticed that the “appcom:ap_command”, “appcom:legacy_api_command”, “appcom:java_api_command” primarily belongs to the AVC binary.
The log analysis and forensics performed on the compromised device highlights the presence of OMNI bot infections on the Polycom HDX devices.
Countermeasures
- Always configure passwords for the interfaces such as Telnet, Web, SNMP, etc. on the Polycom devices.
- Always update the password from default string to more complex string
- Implement WootCloud solution in the enterprise which has built-in detection and prevention algorithms to subvert the OMNI bot infections
- Always configure network policies in accordance with the VLAN segmentation to restrict the ingress and egress network traffic to the IoT device
Inference
- Polycom HDX devices for audio/video conferencing have been found infected with OMNI botnet, a variant of MIRAI
- The attackers are harnessing the power of open-source software packages such as “BusyBox”, WGet”, and others that are shipped with the embedded firmware of the Polycom devices
- Compromised Polycom devices are used to launch brute-force attacks, potential DDoS attacks and also been used as proxy devices for routing malicious communications such as Command and Control (C&C)
- APIs supported by Polycom devices are abused by the attackers for performing unauthorized operations on the device
Responsible Disclosure
Under the responsible disclosure guidelines, the findings have been reported to the Polycom Security team. Polycom has released the associated bulletin highlighting the best security practices to reduce the impact of OMNI bot and handling infections accordingly. The bulletin can be fetched at
WootCloud thanks Polycom security team to work in collaboration and releasing the guidelines for customers to detect and prevent OMNI bot infections.