Cybersecurity researchers uncover zero-day flaws exploited for router and video recorder attacks
In a concerning development, experts at networking firm Akamai have discovered that malicious actors are actively exploiting two previously unknown zero-day vulnerabilities to compromise routers and video recorders. These vulnerabilities are being leveraged to build a formidable botnet employed in distributed denial-of-service (DDoS) attacks, raising alarms within the cybersecurity community. The vulnerabilities, which have not been disclosed to the manufacturers or the broader security research community, enable remote code execution when affected devices use default administrative credentials.
The attackers are exploiting these vulnerabilities to compromise devices and subsequently infect them with Mirai, a powerful open-source malware notorious for turning routers, cameras, and various IoT devices into a botnet capable of launching DDoS attacks of unprecedented scale.
Specifically, one vulnerability targets network video recorders, while the other targets an “outlet-based wireless LAN router designed for hotels and residential applications.” The router in question is manufactured by a Japan-based company known for producing multiple switches and routers. Researchers note that the exploited router feature is widespread, raising concerns that multiple router models from the same manufacturer could be vulnerable.
Upon discovering these zero days, Akamai promptly reported the vulnerabilities to both manufacturers. One manufacturer has provided assurances that security patches will be released next month. However, Akamai has refrained from disclosing the specific devices or manufacturers until fixes are implemented to prevent wider exploitation of the zero-days.
Akamai emphasizes the delicate balance between responsible disclosure, aimed at aiding defenders and oversharing information that could potentially enable further abuse by threat actors. The company has provided a comprehensive list of file hashes, IP addresses, and domain addresses associated with the attacks to enable network administrators and device owners to check whether their devices have been targeted.
The method employed for remote code execution involves command injection, requiring the attacker to authenticate using default credentials in the vulnerable device. The authentication and injection are executed through a standard POST request.
Akamai estimates that at least 7,000 devices may be vulnerable, with the actual number potentially higher. The use of Mirai in these attacks is noteworthy, as Mirai gained significant attention in 2016 when it orchestrated a DDoS attack on the security news site KrebsOnSecurity, setting a record with a 620 gigabit-per-second assault.
Mirai is distinctive in its ability to compromise routers, security cameras, and other IoT devices, a phenomenon not widely observed before its emergence. Furthermore, Mirai’s source code quickly became publicly available, leading to its adoption in larger-scale DDoS attacks targeting gaming platforms and their associated ISPs. The Mirai strain involved in the recent attacks, known as JenX, has undergone modifications, employing fewer domain names than usual to connect to command-and-control servers. Some malware samples also exhibit ties to a separate Mirai variant called hailBot.
Interestingly, the code used in these zero-day attacks, which includes offensive racist slurs, closely resembles that observed in DDoS attacks reported by a China-based security firm targeting a Russian news website in May. This convergence of tactics raises questions about the potential collaboration or shared resources among threat actors employing Mirai-based attacks.
The image below shows a side-by-side comparison.
Payloads exploiting the zero-days are:
alert tcp any any -> any any (msg:”InfectedSlurs 0day exploit #1 attempt”; content:”lang=”; content:”useNTPServer=”; content:”synccheck=”; content:”timeserver=”; content:”interval=”; content:”enableNTPServer=”; sid:1000006;)
and
alert tcp any any -> any any (msg:”InfectedSlurs 0day exploit #2 attempt”; content:”page_suc=”; content:”system.general.datetime=”; content:”ntp.general.hostname=”; pcre:”ntp.general.hostname=”; content:”ntp.general.dst=”; content:”ntp.general.dst.adjust=”; content:”system.general.timezone=”; content:”system.general.tzname=”; content:”ntp.general.enable=”; sid:1000005;)
People or organizations concerned with the possibility they’re being targeted with these exploits can use Snort rules and indicators of compromise published by Akamail to detect and repel attacks. At the moment, there is no way to identify the specific devices that are vulnerable or the manufacturers of those devices.
Original Article was published on: https://arstechnica.com/security/2023/11/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet/