Threat Watch

IPStorm Botnet Goes Cross-Platform, Swells in Size

InterPlanetary Storm (IPStorm) is a botnet that was discovered last year targeting Windows systems. Around May 2019, the botnet included roughly 3,000 infected devices. Since then, it has grown to over four times that size at roughly 13,500 devices. According to reports from Bitdefender and Barracuda, new variants of the malware were recently released targeting Mac, Linux Android and IoT devices as well. To spread, IPStorm brute-forces SSH credentials and looks for Android devices exposed to the Internet with ADB (Android Debug Bridge) enabled. Although the botnet has been around for over a year now, its goal is still unclear to researchers. Even though IPStorm leaves a reverse shell on infected hosts, it hasn’t been observed being used.


Although the goal of IPStorm remains unknown, there are steps that can be taken to prevent its spread. Organizations should enforce at least the same password complexity requirements for SSH-enabled machines as they work for regular workstations. Using generated SSH keys in place of passwords is even better. When possible, multi-factor authentication should be enabled as well. In many SSH installations, logging in as the root user is disabled. Instead of enabling remote root logins, assign necessary group permissions to administrators. Rather than exposing SSH servers directly to the internet, consider placing them behind VPN access to prevent scanning and brute-force attacks. If your organization uses any Android IoT devices, do not enable ADB over the network. This feature is generally off by default.