Research

State of play: network devices facing bulls-eye

A long time has passed since we published our analysis of threats for home network devices. Since then, the situation has significantly changed – alas, not for the better. Back in 2011, we were concerned mainly about the security of SOHO routers, DSL modems and wifi access points. Today, we are talking about the whole Internet-of-Things, which includes every single machine, appliance or gadget that is able to communicate over the Internet.

Let’s recall what kind of threats for network devices we were aware of at the end of 2011:

  • DNS poisoning, drive-by pharming and SOHO pharming: exploitation of vulnerabilities in a web interface of a router/modem to change its DNS settings in order to redirect users to malicious websites
  • UPnP & SNMP based attacks: exploitation of vulnerabilities and implementation issues in widely used protocols in order to get access to the device
  • Malicious binaries: Linux-based DDoS (Distributed Denial of Service) tools, especially customized to run on routers; router botnets, capable of conducting a wide range of attacks; worms, infecting routers and spreading through the network

And now, let’s look at the year 2014 and see which of our predictions came true…

More SOHO pharming attacks

True. There have been numerous attacks utilizing a router’s DNS settings to obtain users banking credentials and redirect users to malicious websites. Just to name a few of the biggest incidents:

  • January 2014: huge SOHO pharming campaign affecting a wide range of routers from several manufacturers all over the world. The attackers exploited a variety of vulnerabilities to change the DNS settings of more than 300 000 devices, mainly located in Vietnam, India and Thailand, but also in several countries in Europe, both Americas and Africa. As a result, all traffic from behind the compromised routers was redirected to the malicious servers, enabling cybercriminals to decide if users should be pointed to the original version of the website they requested, or to the phishing/malicious one.
  • February 2014: another large scale campaign using the DNS poisoning technique. This time the attack was highly targeted and the goals of the cybercriminals were strictly defined: the attack was designed to steal the banking credentials from users of five popular Polish banks. In this case the number of infected routers was about 100 and most of them were located in Poland and Russia. When users tried to log into the online banking website, they were redirected to a modified site which requested them to provide the confidential information.
  • September 2014: classical drive-by pharming attack targeting home routers in Mexico and Brazil. This attack started with malicious email, spammed to a large number of Portuguese-speaking users, in which cybercriminals tried to lure the recipient to click on the link to malicious website. The HTML script on this website was designed to try several combinations of default credentials to access the configuration of the router and change its DNS settings. If this approach failed, the script displayed a pop up, asking user to enter the router credentials manually.

Binary malware for ARM and other platforms

True. We have discovered more malware samples that are affecting MIPS routers, and – more importantly – samples developed in such a way that they might be compiled for different platforms (MIPS, ARM, Intel, PPC, SuperH, etc.) and run on different kinds of Linux-based devices. A couple of examples:

  • Aidra – an open source DDoS tool, designed to scan modems/routers and create a botnet from exploitable devices. There are currently several Aidra binaries in the wild, compiled for different platforms (MIPS, ARM, PPC, SuperH), which means that this worm has been customized to be able to infect Internet-of-Things devices.
  • Figure 1 – Aidra – open source DDoS tool

  • Darlloz – a Linux worm and bot designed for MIPS, ARM and Intel architectures, spreading through a PHP-CGI vulnerability to randomly generated IP addresses and capable of downloading and running additional code. It communicates with the malicious operator by opening a backdoor on TCP port 58455 and waiting for commands. It infected more than 30 000 devices, mainly in the US and China, and – as it was proven later – was used to install crypto-currency mining software (cpuminer), at least on Intel x86 devices.
  • Figure 2a – Darlloz worm, code compiled for ARM architecture

    Figure 2b – Darlloz worm, same code snipped, compiled for x86 architecture

  • The Moon worm – a mysterious worm, spreading through a remote authentication bypass exploit in the implementation of the HNAP protocol in Linksys E-Series routers. This malware collects information about the device and communicates with its C&C (Command and Control) servers using quotes and images from the 2009 sci-fi movie called “The Moon”. The IP ranges that the worm scans, in order to exploit them, are hard-coded in the binary and include about 670 networks, most of which belong to certain DSL and cable modem ISPs in different countries.
  • Figure 3 – The Moon worm, strings related to The Moon movie

Permanent modifications of firmware

True. The story published in the German c’t magazine revealed the first router malware that was trying to make persistent changes to the router firmware. The malware consisted of several Linux shell scripts that were responsible for downloading the modified version of the firmware, overwriting the original image and rebooting the router. The malicious firmware came with a modified init script, which launched a sniffing tool (dsniff) on the infected machine, capturing traffic and sending all the intercepted data to the C&C FTP server. This malware was found to be affecting not only routers but also other Linux-based embedded devices, such as Dreambox DVB receivers.

Figure 4 – Flasher, script replacing the original firmware

Figure 5 – Flasher, script running the sniffer and uploading the data to FTP server

Cross-platform and multi-platform malware

True. Malware and botnets traditionally associated with Windows machines only, now start to use routers and other Internet enabled devices for different malicious purposes:

  • The Sality virus was found to incorporate SOHO routers in its replication process, by using DNS poisoning method to redirect users to infected files. In this case, the malware used was Windows malware similar to the DNSChanger Trojan.
  • The Black Energy 2 botnet also got an IoT upgrade: it started to use additional plugins which are designed to run on Linux-based MIPS and ARM devices. These modules are capable of performing DDoS attacks, stealing passwords, scanning ports in the network and sniffing traffic. They are communicating with C&C servers and are able to execute specified shell commands and download and launch additional binaries.  We have recently published an in-depth analysis of Black Energy 2, where you can find much more details about it.

More vulnerabilities in firmware discovered and exploited

True. Several critical vulnerabilities affecting Internet-of-Things devices were discovered and reported to the vendors this year. Just to name a few:

  • Rom-0 vulnerability in ZyXEL routers, which allows an attacker to download the router’s configuration file without any authentication
  • CVE-2014-2719 vulnerability in ASUS wireless routers, which allows an attacker to retrieve the router’s credentials
  • 15 zero-day vulnerabilities in 10 different SOHO router models, revealed at the Defcon 22’s SOHOpelessly Broken contest
  • Our colleague, David Jacoby, found interesting zero-days in the devices he uses at home.
  • We also need to remember that the Heartbleed and Shellshock vulnerabilities affect some Linux-based network devices and internet-of-Things devices as well.

But what is even more scary than the growth in discovered vulnerabilities, is the fact that certain vendors seem to implement hardcoded firmware backdoors in their products, providing cybercriminals with an easy way-in, especially to devices that no longer receive any updates.

As we can see, the security situation of the network devices didn’t much improve since 2011. Most of our predictions came true: the threats are on the rise and cybercriminals widen their interest not only to home routers and modems, but to the whole Internet-of-Things. Although both the vendors and the ISPs are slowly realizing the threat and trying to make their devices more secure, there is still a lot to do. For example, one of the very serious issues is that most of the older devices are not receiving firmware updates anymore, so if there is any new attack vector discovered, users can do literally nothing to protect themselves against it, unless they decide to purchase an (often expensive) newer version of the device, that is still being supported. This issue is not easy to fix: for the vendors, it wouldn’t really be cost-effective to support each of the devices they offer for a long period of time; and without the software patches, there is not much to do to secure these devices from the customer’s side. Times has changed, and we need to come up with a new security model for Internet of Things, as the old one is not working properly anymore.

To learn, how to protect your home network, please read the guidelines put together by my colleague, David Jacoby.

State of play: network devices facing bulls-eye

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox