How to Defend Against Malware Attacks Like BotenaGo

Written by: Steve Hardy Published: December 3, 2021 IoT Advice

Tags: IoT | IoT Advice | Iot Security | Malware

On November 11th, 2021 AT&T Alien Labs announced the discovery of a dangerous new malware program affecting devices that utilize Google’s Go language (commonly called GoLang).  

Although released in 2007, usage of GoLang has increased considerably over the past several years thanks, in part, to its C/C++-like efficiency, handling of parallelisms like Java, and easy code readability like Python and Pearl. This efficiency, along with inbuilt concurrency (i.e. the ability to run multiple subroutines simultaneously), has made it a top choice for developers interested in creating IoT solutions – and it is already in use by major industry players such as Uber, Alibaba, TIBCO, and Samsara.

The increased popularity of GoLang has resulted in an unfortunate mirror increase of interest from bad actors. Intezer estimates that malware written in GoLang has increased roughly 2000% percent in recent years, with BotenaGo being the most prominent recent example.

BotenaGo Represents An Evolution in Malware

Where BotenaGo sets itself apart from other malware is in its ability to seek out and attack vulnerable targets. Instead of relying on a direct injection into a particular system, as is required by some malware, BotenaGo uses the internet in order to search for vulnerable devices and utilizes up to 30 unique attack strategies to gain access. If BotenaGo gains access to a system It creates two backdoor ports: 31412 and 19412. On port 19412 it will listen to receive the victim IP, then proceed to loop through mapped exploit functions and execute them with the given IP.

The autonomous nature of BotenaGo is also a cause of confusion and concern. If there is no dedicated communication with a command and control interface, how does this malware function and how can it be protected against? AT&T Alien Labs has put forth 3 possible explanations:

1. The malware is part of a “malware suite” and BotenaGo is only one module of infection in a larger attack. In this case, there should be another module either operating BotenaGo (by sending targets) or by updating the C&C with a new victim’s IP.
2. The links used for the payload on a successful attack imply a connection with Mirai malware. It could be that BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets.
3. This malware is still in beta and has been accidentally leaked.

Defending Your Deployment from Malware

Fortunately for everyday users, the mysterious origins and workings of BotenaGo do not change the general recommendations put forth to defend against it or other malware attacks. Regardless of deployment size, the following steps are always recommended as a minimum level of protection:

1. Maintain your software and hardware with the latest security updates. Hardware and software producers often update their products with patches or firmware updates to eliminate Day-1 vulnerabilities or issues that may have arisen since launch.
2. Only devices that require public internet access should have it. If a bad actor has no way of accessing a device, it cannot be infected with malicious software.
3. Monitor the traffic of your IoT devices. Excessive bandwidth consumption, connections from unrecognized IPs, and unusual port usage should all be investigated immediately upon discovery.

There are also some specific recommendations that can be made for BotenaGo:

1. Block the currently known indicator URLs discovered by Alien Labs in your firewall. A list can be found on their page here.
2. Block all communications over ports 31412 and 19412.
3. Review the list of known exploited devices BalenaGo can take advantage of and consider removing or upgrading any used in your deployment. 

Ensuring you are properly protected from malware can be an arduous and time-consuming task. Fortunately, customers deploying with Soracom get a head-start thanks to our architecture and security features:

• By default, devices connected with Soracom cannot be accessed by the public internet without special configuration, making it impossible for non-authorized users to gain remote access to your devices.
• Devices can be configured to directly transmit data from Soracom’s servers to your own with a secure VPN, meaning your data never needs to touch a public gateway.
• Devices that connect via cellular are impervious to Man in the Middle or packet sniffing attacks that can take advantage of similar wifi-enabled devices.

In addition, Soracom has several platform services that can assist customers with securing their deployments in a hassle-free manner:

SORACOM Virtual Private Gateway

When Soracom Air for Cellular devices connects to the Soracom platform, core networking services are provided by a shared public gateway. The default platform gateway allows Air subscribers to access Soracom services, such as Soracom Beam, Funnel, Funk, and Harvest, as well as connect to the Internet.

As the default gateway is shared among all Soracom users, certain gateway functionality, such as private networking and device-to-device access, is disabled to ensure device- and network security.

Soracom provides a Virtual Private Gateway (VPG) option, which allows you to create and manage your own dedicated gateway on the Soracom platform. With a VPG, Air subscribers in your account connect to the Soracom platform using an isolated network environment, separate from other Soracom gateways.

As a VPG establishes a dedicated networking environment on the Soracom platform, you can connect the VPG to your private network using Soracom Canal, Door, or Direct. Once connected, Air devices attached to your VPG will be able to access resources in your private network, without routing traffic over the public Internet or configuring firewalls to enable external access

SORACOM Junction

Soracom Junction is a packet management service that provides packet inspection, mirroring, and redirection functionality. Junction is a feature of Virtual Private Gateways that allows you to monitor all traffic passing through the VPG at the networking level in order to troubleshoot or detect problems that may affect application performance. 

SORACOM Private Garden

By default, Soracom Air devices will connect to the Soracom platform using a platform-shared gateway that allows devices to access the Internet as well as Soracom services (such as Beam, Funnel, Funk, and Harvest).

Soracom provides an alternative shared gateway called Private Garden, which still allows Air devices to access Soracom services, but will block device access to the Internet.

Setting an Air SIM group to use Private Garden will help ensure that no data is mistakenly sent to an unknown endpoint. As groups using Private Garden can still access Soracom services, you can configure Beam to forward data from your devices to your endpoint. 

SORACOM Napter

Soracom Napter is an on-demand networking service for devices using Soracom Air for Cellular SIM cards, which enables you to quickly and securely access your devices remotely. Napter allows you to perform remote maintenance, troubleshooting, or other typical remote access tasks, without setting up any relay servers or installing agent software on the device.

………………..

Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!