Number: AL16-018
Date: 14 October 2016
Purpose
The purpose of this advisory is to bring attention to potential exploitation of default credentials on Sierra Wireless devices.
Assessment
CCIRC is aware of a potential leveraging of Sierra Wireless devices by the “Mirai” malware for DDOS activities. The malware could gain access to the AirLink Cellular gateway using the default ACEmanager credentials publicly available, if the device is reachable on the internet. Using the firmware update function, the malware will be able to run a copy of itself.
Once the malware is running on the gateway it deletes itself and resides only in memory.
Abnormal traffic on TCP port 23 and 48101 and large amount of outbound traffic are strong indicators of malware presence. Port 23 is used by the malware to scan for other vulnerable devices while port 48101 is used for Command and control traffic.
Affected Sierra Wireless products: LS300, GX400, GX/ES440, GX/ES450 and RV50.
Suggested Action
The vendor strongly suggests that customers do the following steps for each of their gateway:
- Reboot the gateway to eliminate the possibility of in-memory malware.
- Set the ACEmanager password to one that is secure and unique.
A detailed description of the risk and a list of recommendations to protect your device and attached network from infection can be found in Sierra Wireless technical bulletin linked in the references section.
References: