The threat at a glance
Darktrace researchers have identified PumaBot, a Go-based Linux botnet that focuses on embedded surveillance cameras and other IoT devices.Unlike spray-and-pray botnets that scan the whole internet, PumaBot pulls a curated IP list from its C2 and then brute-forces SSH logins on port 22 until it gets a shell. Once in, it drops its payload under /lib, registers a rogue systemd service, injects a back-door key into ~/.ssh/authorized_keys, and can fetch further modules via the same C2 channel.
Why device-level controls matter
Because PumaBot’s entire kill-chain exploited vulnerabilities and misconfiguration on the device itself, network-edge firewalls alone are not enough. The controls have to live on the camera or NVR itself, enforcing policy even when the device is connected to an untrusted network.
Check Point’s Quantum IoT Protect Nano Agent was built for exactly this scenario. It runs inside the device, enforcing access control and runtime protection, file-integrity monitor, and behavioral sensors directly into the firmware, with negligible CPU/RAM overhead.
Breaking PumaBot’s kill-chain with Nano Agent
| PumaBot tactic | What Nano Agent does | How the protection works on-device |
| SSH brute-force attack | SSH Login Protection – the agent enforces a configurable rate-limit on authentication attempts (e.g., 3 failures/60 s). | PumaBot exhausts its quota in a few seconds and is black-holed before a password can be guessed. |
| Open port 22 reachable from anywhere | Access Control – a built-in micro-firewall restricts inbound SSH (and any other service) to a whitelist of IP/CIDR or a site-to-site VPN interface. Outbound traffic can likewise be IP or domain filtered. | PumaBot’s scanners never see the port; even if it does, packets are silently dropped. |
| Binary & service drop (/lib/redis/jierui, redis.service) | File Monitor plugin – hooks every write/rename/chmod call to protected paths. Executables and designated config/data files become immutable at runtime. | The write to /lib is denied and logged; the systemd unit can’t be created because the payload never lands on disk. sc1.checkpoint.com |
| Key injection & interactive shell | SSH Audit – the security plugin records every SSH session: username, source IP, exact command string, timestamp, and tty length. Anomaly rules alert on new keys, or suspicious commands (e.g., chmod +x /lib/*). | Even if an insider account is used, SOC teams see it in real-time and can quarantine the device. |
Operational benefits
- Compatible with Linux-based Platforms: Nano Agent is a software package that the manufacturer includes as part of the image. It is compatible with any Linux distribution.
- Cloud or offline: Policies can be managed centrally from Infinity Portal or stored locally for fully air-gapped deployments.
- Forensic depth: Rich JSON logs (one record per command/event) feed SIEM;
- Zero-day resilience: Control-flow-integrity (CFI) blocks software hijacking attacks even if PumaBot evolves away from today’s binaries.
Deploying in three quick steps
- Install the agent package (contact [email protected] to get a trial version).
- Define your allow-list of IPs/subnets for SSH and any camera streaming ports in cp-nano-orchestration-conf.json.
- Push the policy (or let the cloud portal sync). Watch for any “blocked-write” or “ssh-anomaly” alerts—those are PumaBot being stopped in real time.
Key takeaway
PumaBot succeeds only when an IoT device is both visible and writable.
Check Point’s Nano Agent removes those two prerequisites:
- Invisible – unsolicited SSH is rate-limited and blocked by default for remote access.
- Immutable – binaries, keys, and configs can’t be tampered with.
- Auditable – every legitimate session is stamped, every illegitimate one is blocked and reported.
By embedding protection at the firmware layer, Quantum IoT Protect Nano Agent turns each camera or sensor into its own security gateway, cutting the botnet off at the root and giving operators the confidence to keep critical surveillance infrastructure online.
