Yowai IoT Botnet

Yowai is a newly observed Internet-of-Things (IoT) worm and botnet based on the Mirai malware.

Threat ID:: CC-2906
Category:: Worm, Botnet
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 28 January 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Yowai is a newly observed Internet-of-Things (IoT) worm and botnet based on the Mirai malware.

Threat details

Similarly to most Mirai variants, Yowai automatically identifies vulnerable systems before using default credentials or brute-force attacks to gain access to them. It will also use a number of hard-coded exploits for vulnerabilities in certain products where possible.

Once installed, Yowai will attempt to terminate a number of other botnet on the device before connecting to a command and control server.

Remediation steps

Type	Step
	To avoid devices becoming part of an Internet-of-Things (IoT) botnet, organisations should: Review the network security of IoT devices on the estate. Change any IoT device default usernames and passwords. To protect against a distributed denial-of-service (DDoS) attack, organisations should ensure: They have suitable DDoS mitigation tools. They have a DDoS mitigation plan in place. Should an organisation suspect it is subject to an active DDoS attack, they should ensure that every effort is made to stop the attack and restore service. However, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of host intrusion prevention and detection systems (HIPS/HIDS) where appropriate.

Type

Step

To avoid devices becoming part of an Internet-of-Things (IoT) botnet, organisations should:

Review the network security of IoT devices on the estate.
Change any IoT device default usernames and passwords.

To protect against a distributed denial-of-service (DDoS) attack, organisations should ensure:

They have suitable DDoS mitigation tools.
They have a DDoS mitigation plan in place.

Should an organisation suspect it is subject to an active DDoS attack, they should ensure that every effort is made to stop the attack and restore service. However, care should be taken to ensure that the attackers are not using the DDoS attack as a distraction whilst other, potentially more sensitive, systems are exploited. Monitoring of critical systems is recommended, including the use of host intrusion prevention and detection systems (HIPS/HIDS) where appropriate.

Last edited: 14 February 2020 2:48 pm