Default credentials in some Sierra Wireless Devices may be leveraged by Malware

Number: AL16-018
Date: 14 October 2016

Purpose

The purpose of this advisory is to bring attention to potential exploitation of default credentials on Sierra Wireless devices.

Assessment

CCIRC is aware of a potential leveraging of Sierra Wireless devices by the “Mirai” malware for DDOS activities. The malware could gain access to the AirLink Cellular gateway using the default ACEmanager credentials publicly available, if the device is reachable on the internet. Using the firmware update function, the malware will be able to run a copy of itself.

Once the malware is running on the gateway it deletes itself and resides only in memory.

Abnormal traffic on TCP port 23 and 48101 and large amount of outbound traffic are strong indicators of malware presence. Port 23 is used by the malware to scan for other vulnerable devices while port 48101 is used for Command and control traffic.

Affected Sierra Wireless products: LS300, GX400, GX/ES440, GX/ES450 and RV50.

Suggested Action

The vendor strongly suggests that customers do the following steps for each of their gateway:

A detailed description of the risk and a list of recommendations to protect your device and attached network from infection can be found in Sierra Wireless technical bulletin linked in the references section.

References:

http://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---mirai/

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: