Our security team has discovered public IP modems that have been compromised by the IoTroop/Reaper security exploit that is causing extremely high data usage. While this issue is driving up data consumption, it does NOT appear to be attempting to access or impact connected equipment.
For your records, we have included the preliminary details of the incident below.
Summarized Incident Information
Summary of Issue: The IoTroop/Reaper botnet has taken over some public IP modems and causing significant data overages.
Devices Impacted: Linux based Sierra Wireless modems with public IP addresses on the Verizon network - including RV50, LS300, and GX400
Start: Indications of a compromise March 28th at 6:00pm CDT, Root cause identified March 29 at 3:00pm
End: No ETA on remediation at this time as we are waiting on fixes provided by modem vendor
Our team is working with the modem vendor Sierra Wireless and Verizon to resolve the issue. We will have a remediation plan but are currently waiting on fixes being provided.
We intend to do a firmware update on the modems showing signs of malware infection as soon as reasonable - firmware updates are low risk but there will be up to a 30-minute downtime depending on communication throughput and other potential side effects. If we have challenges updating your modem support will contact you.
If you would like to update modem firmware yourself, please see the Sierra Wireless Bulletin and let support know.
If you have any additional questions, comments, or concerns regarding this incident, please contact us at firstname.lastname@example.org or call 866-303-5969.
Public modems are extremely vulnerable to these types of exploits. Many of the modems that are being exploited are older modems that are no longer supported by the vendor.
As a security best practice, we strongly recommend our customers move public IP modems to our secure SCADA monitoring network at no cost. If you are running an older modem, such as an LS300 or GX400, we strongly suggest replacing your outdated modem by clicking below: