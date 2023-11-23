Researchers at networking firm Akamai said Thursday that mischievous actors are actively exploiting two new zero-day vulnerabilities to turn routers and video recorders into hostile botnets used in distributed denial-of-service attacks. .

According to the Akamai post, both vulnerabilities, previously unknown to their creators and the security research community at large, allow remote execution of malicious code when affected devices use default administrative credentials. Unknown attackers are taking advantage of zero-days to compromise devices so that they can be infected with Mirai, a powerful piece of open source software that makes routers, cameras and other types of Internet of Things devices part of a botnet. Creates who is capable of war. DDoSes of previously unimaginable size.

Akamai researchers said one of the zero days resides in one or more models of network video recorders under attack. The other zero-day resides in “outlet-based wireless LAN routers built for hotels and residential applications”. The router is sold by a Japan-based manufacturer that “produces a number of switches and routers.” The router feature being exploited is “a very common thing” and researchers cannot rule out the possibility that it is being exploited in many router models sold by the manufacturer.

Akamai said it has reported the vulnerabilities to both manufacturers, and one of them has assured that security patches will be released next month. Akamai said it was not identifying specific devices or manufacturers until improvements are made to protect against zero-days being exploited more widely.

“Although this information is limited, we felt it was our responsibility to alert the community about the ongoing exploitation of these CVEs in the wild. There is a thin line between responsibly disclosing information to help rescuers and excessively sharing information that could enable further abuse by a multitude of threat actors.

Akamai provides many of the file hashes and IP and domain addresses being used in the post attacks. Owners of network video cameras and routers can use this information to see if devices on their network have been targeted.

Remote code execution uses a technique called command injection, which first requires the attacker to authenticate themselves using credentials configured in the vulnerable device. Authentication and injection is done using a standard POST request.

In an email, Akamai researcher Larry Cashdollar wrote:

Devices typically do not allow code execution through the management interface. This is why obtaining RCE through command injection is essential. Because the attacker needs to authenticate first, they need to know some login credentials that will work. If devices are using easy-to-guess logins like admin:password or admin:password1 they may also be at risk if someone expands the list of credentials to try.

He said both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of the fix from another manufacturer is currently unknown.

CashDollar said an incomplete internet scan revealed at least 7,000 vulnerable devices. The actual number of affected devices may be higher.

Mirai first came to widespread public attention in 2016, when a botnet – meaning a network of compromised devices under the control of a hostile threat actor – gave the security news site CrabsOnSecurity a record speed of 620 gigabit-per-second. -Removed with setting. DDoS.

Apart from its massive firepower, the Mirai stands out for other reasons as well. For one, the devices it had control over were routers, security cameras, and a host of other types of IoT devices, something that was largely unseen before. And for others, the underlying source code quickly became available for free. Soon, Mirai also began to be used in large DDoSes targeting gaming platforms and the ISPs that serve them. Mirai and other IoT botnets have been a fact of Internet life ever since.

The Mirai strain used in the attacks discovered by Akamai is primarily an older one known as GenX. However, it has been modified to use much shorter domain names than usual to connect to command-and-control servers. Some malware samples also show connections to a different Mirai variant called Hellbot.

The code used in the zero-day attacks observed by Akamel – which also included offensive racist slurs – is almost identical to the code used in DDoS attacks seen by a China-based security firm targeting a Russian news website in May. Was used. The image below shows a side-by-side comparison.

Enlarge / Side-by-side comparison of October (left) and April (right) codes.

Payloads that use zero-days are:

alert tcp any -> any(message:”Infected Slurs 0day exploit #1 attempt”; content:”lang=”; content:”useNTPServer=”; content:”synccheck=”; content:”timeserver=”; content :”interval=”; content:”EnableNTPServer=”; sid:1000006;)

And

alert tcp any -> any(message:”Infected Slurs 0day exploit #2 attempt”; content:”page_suck=”; content:”system.general.datetime=”; content:”ntp.general.hostname=”; pcre:’ntp.general.hostname=’; content:’ntp.general.dst=’; content:’ntp.general.dst.adjust=’; content:’system.general.timezone=’; content:’system .general.tzname=’;content:’ntp.general.enable=’;sid:1000005;)

People or organizations concerned about the possibility of being targeted by these exploits can use the Snort rules and indicators of compromise published by Akamel to detect and remediate the attacks. At the moment, there is no way to identify specific devices that are vulnerable or to identify the manufacturers of those devices.

Source: arstechnica.com