Products: Sierra Wireless LS300, GX400, GX/ES440, GX/ES450 and RV50
Date of issue: 4 October 2016
Sierra Wireless has confirmed reports of the “Mirai” malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet. The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself. Based on
Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets. Currently, the best known indicator of the malware’s presence is abnormal traffic on TCP port 23 as it scans for vulnerable devices.
Customers may also observe command and control traffic on TCP port 48101 and a large amount of outbound traffic if the infected gateway is participating in a DDoS attack. Because the malware resides only in memory, rebooting the gateway will remove the infection. However, if the gateway continues to use the default ACEmanager password, it will likely become reinfected. Devices attached to the gateway’s local area network may also be vulnerable to infection by the Mirai malware. Please be aware that Sierra Wireless gateways have a number of features that make these devices remotely accessible. As a result, we strongly recommend following the best practices identified in the “Protecting the Local Area Network” section below to ensure that such devices are not inadvertently exposed.
For Further Information Contact USAT: