{
	"id": "20e89e37-1e07-4f13-9208-6b73d07dc0ec",
	"created_at": "2026-04-06T00:21:41.385379Z",
	"updated_at": "2026-04-10T13:11:18.019114Z",
	"deleted_at": null,
	"sha1_hash": "d49fe4c41173843258b6947960ac22723710d514",
	"title": "BrickerBot Permanent Denial-of-Service Attack (Update A) | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45346,
	"plain_text": "BrickerBot Permanent Denial-of-Service Attack (Update A) | CISA\r\nPublished: 2017-04-18 · Archived: 2026-04-05 19:19:16 UTC\r\nDescription\r\nThis updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent\r\nDenial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is\r\naware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order\r\nto cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and\r\nBrickerBot.2, was described in a Radware Attack Report.\r\ntable.gridtable {\r\nfont-family: verdana,arial,sans-serif;\r\nfont-size:11px;\r\ncolor:#333333;\r\nborder-width: 1px;\r\nborder-color: #666666;\r\nborder-collapse: collapse;\r\n}\r\ntable.gridtable th {\r\nborder-width: 1px;\r\npadding: 8px;\r\nborder-style: solid;\r\nborder-color: #666666;\r\nbackground-color: #dedede;\r\n}\r\ntable.gridtable td {\r\nborder-width: 1px;\r\npadding: 8px;\r\nborder-style: solid;\r\nborder-color: #666666;\r\nbackground-color: #ffffff;\r\n}\r\nSUMMARY\r\nThis updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent\r\nDenial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site.\r\nICS-CERT is aware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT\r\ndevices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of\r\nhttps://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A\r\nPage 1 of 3\n\nBrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report (‘BrickerBot’ Results In PDoS Attack\r\n).\r\nICS-CERT is working to identify vendors of affected IoT devices in order to collect product-specific mitigations\r\nand compensating controls. ICS-CERT is issuing this alert to provide early notice of the report and identify\r\nbaseline mitigations for reducing risks to these and other cybersecurity attacks.\r\nDETAILS\r\n--------- Begin Update A Part 1 of 2 --------\r\nAccording to Radware, this bot attack is designed to render a connected device useless by causing a PDoS, or\r\n“bricked” state. BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH, and brute force\r\nTelnet. According to Radware’s Attack Report and open source reporting, the following details regarding\r\nBrickerBot.1 and BrickerBot.2 are available:\r\nBrickerBot.1 targets devices running BusyBox with an exposed Telnet command window. These devices\r\nalso have SSH exposed through an older version of Dropbear SSH server. Most of these devices were also\r\nidentified as Ubquiti network devices running outdated firmware. Some of these devices are access points\r\nor bridges with beam directivity. BrickerBot.1 was active from March 20, 2017 to March 25, 2017.\r\nAccording to Radware, BrickerBot.1 attacks have ceased.\r\nBrickerBot.2 targets Linux-based devices which may or may not run BusyBox and which expose a Telnet\r\nservice protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit\r\nnodes.\r\nNo information is available at this time about the type and number of devices used in performing these\r\nattacks.\r\n--------- End Update A Part 1 of 2----------\r\nThis situation is still developing. ICS-CERT is working to identify vendors of affected devices in order to collect\r\nmore detailed mitigation information.\r\nMITIGATION\r\nICS-CERT is currently working to identify vendors of affected IoT devices in order to collect more detailed\r\nmitigation information. Radware recommended taking the following precautions in the Attack Report above:\r\nChange the device’s factory default credentials.\r\nDisable Telnet access to the device.\r\nUse network behavioral analysis to detect anomalies in traffic and combine with automatic signature\r\ngeneration for protection.\r\nSet intrusion protection systems to block Telnet default credentials or reset telnet connections. Use a\r\nsignature to detect the provided command sequences.\r\n--------- Begin Update A Part 2 of 2 --------\r\nhttps://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A\r\nPage 2 of 3\n\nUpdate your Ubiquiti Networks devices with the latest firmware.\r\n--------- End Update A Part 2 of 2----------\r\nAny positive or suspected findings should be immediately reported to ICS-CERT for further analysis and\r\ncorrelation.\r\nICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that\r\nthey are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit\r\ntheir networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control\r\nsystems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at\r\nincreased risk of attack.\r\nICS-CERT recommends, as quality assurance, that users test the mitigations in a test development environment\r\nthat reflects their production environment prior to installation. In addition, users should:\r\nMinimize network exposure for all control system devices. Control system devices should not directly face\r\nthe Internet.\r\nLocate control system networks and devices behind firewalls, and isolate them from the business network.\r\nIf remote access is required, employ secure methods, such as Virtual Private Networks (VPNs),\r\nrecognizing that VPN is only as secure as the connected devices.\r\nRemove, disable, or rename any default system accounts wherever possible.\r\nApply patches in the ICS environment, when possible to mitigate known vulnerabilities.\r\nImplement policies requiring the use of strong passwords.\r\nMonitor the creation of administrator level accounts by third-party vendors.\r\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive\r\nmeasures.\r\nICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several\r\nrecommended practices are available for reading or download, including Improving Industrial Control Systems\r\nCybersecurity with Defense-in-Depth Strategies.\r\nOrganizations that observe any suspected malicious activity should follow their established internal procedures\r\nand report their findings to ICS-CERT for tracking and correlation against other incidents.\r\nSource: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A\r\nhttps://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A"
	],
	"report_names": [
		"ICS-ALERT-17-102-01A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d49fe4c41173843258b6947960ac22723710d514.pdf",
		"text": "https://archive.orkl.eu/d49fe4c41173843258b6947960ac22723710d514.txt",
		"img": "https://archive.orkl.eu/d49fe4c41173843258b6947960ac22723710d514.jpg"
	}
}