Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label 360 Netlab. Show all posts

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


ZHtrap, the Latest Malware to Install Honeypots on Devices to Identify More Targets

 

The security researchers at 360 Netlab have discovered a new botnet that is targeting and converting the infected routers, DVRs, and UPnP network into honeypots that supports it in identifying other targets to exploit.

Security experts have named the malware ‘ZHtrap’ which is based on Mirai’s source code. ZHtrap comes with support for x56, ARM, MIPS, and other CPU designs. ZHtrap botnet prevents other malware from re-infecting their bots when it takes charge of the device. Whitelist supports the botnet to run the system process and it blocks all the attempts to run new commands. 

The latest malware uses a Tor command-and-control (C2) server to connect with other botnet nodes and a Tor proxy to hide malicious traffic. It is so powerful that it can be used for attacking DDoS and scanning other susceptible devices to infect and it comes with backdoor entry permitting the operators to download and implement additional malicious payloads.

ZHtrap uses exploits targeting four N-day security flaws in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and an extensive list of CCTV-DVR devices for its propagation. It also looks for the devices with weak Telenet passwords from a list of randomly generated IP addresses gather with the support of the honeypot it installs on devices already entrapped in the botnet.

“Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into honeypot. Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples. But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected Ips are used as targets in its own scanning module,” security researchers at 360 Netlab stated. 

Recently, security experts have also identified an upgraded version of the z0Miner cryptomining botnet, which now tries to corrupt susceptible Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.