AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.
Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.
“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.
“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”
ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.
“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.
Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.
Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.