Dark Nexus IoT Botnet

Dark Nexus (stylised as dark_nexus) is a newly observed botnet designed for use in distributed denial-of-service (DDoS) attacks. It is able to target a wide variety of Internet-of-Things (IoT) microarchitectures including ARM, MIPS, PowerPC, and x86; and appears to contain large portions of Mirai and Qbot code.

Threat ID:: CC-3425
Category:
Threat Severity:: Low
Threat Vector:
Published:: 17 April 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Any IoT devices using the following microarchitectures:

ARM
Intel 80386
Intel x86-64
Motorola m68k
PowerPC
Renesas
SPARC

Threat details

As with other botnets, Dark Nexus gains access to devices using a combination of default credentials, brute-force attacks, and publicly available exploits. Vulnerable devices are identified using both synchronous and asynchronous scanners, with target IP and port combinations provided by a command and control (C2) server.

Once It gains access, Dark Nexus will execute shell commands in an attempt to prevent the affected device rebooting, before killing a number of processes. It then connects to a C2 server to download a list of IP addresses to perform DDoS attacks against. Dark Nexus also has SOCKS capability, although at the time of publication no Dark Nexus instances have been observed using this functionality. It is possible that Dark Nexus' operators intend to sell this capability at a later date, or that it was present in the code taken from Mirai or Qbot.

Remediation steps

Type	Step
	To prevent and detect an infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

Dark Nexus IoC List 16/04/2020

Last edited: 29 June 2021 12:01 pm