OMG IoT Botnet

OMG is a variant of the Mirai botnet that targets Internet-of-Things (IoT) devices. This new variant uses exploits that target more devices and turns the infected devices into proxy servers.

Threat ID:: CC-2095
Category:
Threat Severity:: Low
Threat Vector:
Published:: 1 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

OMG is a variant of the Mirai botnet that targets Internet-of-Things (IoT) devices. This new variant uses exploits that target more devices and turns the infected devices into proxy servers.

Threat details

OMG can perform distributed denial-of-service attacks and can add firewall rules to allow traffic on two random ports

OMG use port 55023 to communicate with it’s command and control sever. It then opens two random ports that are used for HTTP and SOCKS ports.

Remediation advice

To protect against DDoS attacks, CareCERT recommends:

Remediation steps

Type	Step
	The use of a third-party DDoS mitigation tool. A DDoS mitigation plan. Should an organisation suspect it is subject to an active DDoS attack, CareCERT recommends that whilst efforts are made to stop the attack and restore service, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of Host Intrusion Prevention and Detection Systems (HIPS/HIDS) where appropriate. To avoid devices becoming part of an IoT botnet, CareCERT recommends organisations should: Review the network security of IoT devices on the estate. Change any IoT device default usernames and passwords. Close port 50023 if it is not used for business purposes.

Type

Step

The use of a third-party DDoS mitigation tool.
A DDoS mitigation plan.

Should an organisation suspect it is subject to an active DDoS attack, CareCERT recommends that whilst efforts are made to stop the attack and restore service, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of Host Intrusion Prevention and Detection Systems (HIPS/HIDS) where appropriate.
To avoid devices becoming part of an IoT botnet, CareCERT recommends organisations should:

Review the network security of IoT devices on the estate.
Change any IoT device default usernames and passwords.
Close port 50023 if it is not used for business purposes.

Last edited: 17 February 2020 12:51 pm