Torii IoT Botnet

Torii is a newly observed worm that is targeting a wide range of Internet-of-Things (IoT) devices to enrol into a botnet. Despite similarities in its naming, Torii does not appear to be related to the

Threat ID:: CC-2696
Category:: Botnet, Worm
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 1 October 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Initial infection of devices is achieved via brute-force attacks over Telnet (port 23) followed by execution of a sophisticated shell script. This script will attempt to discover the architecture of the affected device before downloading the correct Exectuable and Linkable (ELF) file over HTTP or FTP. This file is then used to install a second ELF file containing Torii.

At the time of publication, Torii does not appear to be performing any malicious activity on infected devices; however, it does have the capability to download and execute scripts or files, exfiltrate information or encrypt files. It is probable that the threat actors operating the botnet are attempting to limit discovery and analysis of Torii as it continues to grow.

Remediation steps

Type	Step
	Telnet is inherently insecure and has been superseded by several other protocols, including SSH. If Telnet is not required, then port 23 (TCP) should be closed. If Telnet is required, please ensure: A security extension such as Transport Layer Security (TLS) or Simple Authentication and Security Layer (SASL) is used where possible. Connections using Telnet are tunnelled through a secure virtual private network (VPN). By default, many IoT devices use insecure protocols or weak credentials. To avoid devices becoming part of an IoT botnet, organisations should: Review the network security of IoT devices on their estate. Ensure all IoT devices on the estate are not using default credentials.

Type

Step

Telnet is inherently insecure and has been superseded by several other protocols, including SSH. If Telnet is not required, then port 23 (TCP) should be closed. If Telnet is required, please ensure:

A security extension such as Transport Layer Security (TLS) or Simple Authentication and Security Layer (SASL) is used where possible.
Connections using Telnet are tunnelled through a secure virtual private network (VPN).

By default, many IoT devices use insecure protocols or weak credentials. To avoid devices becoming part of an IoT botnet, organisations should:

Review the network security of IoT devices on their estate.
Ensure all IoT devices on the estate are not using default credentials.

Last edited: 17 February 2020 12:55 pm