Thousands of Routers and Cameras Vulnerable To New 0-Day Attacks By Hostile Botnet (arstechnica.com) 18
An anonymous reader quotes a report from Ars Technica: Miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks, researchers from networking firm Akamai said Thursday. Both of the vulnerabilities, which were previously unknown to their manufacturers and to the security research community at large, allow for the remote execution of malicious code when the affected devices use default administrative credentials, according to an Akamai post. Unknown attackers have been exploiting the zero-days to compromise the devices so they can be infected with Mirai, a potent piece of open source software that makes routers, cameras, and other types of Internet of Things devices part of a botnet that's capable of waging DDoSes of previously unimaginable sizes.
Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an "outlet-based wireless LAN router built for hotels and residential applications." The router is sold by a Japan-based manufacturer, which "produces multiple switches and routers." The router feature being exploited is "a very common one," and the researchers can't rule out the possibility it's being exploited in multiple router models sold by the manufacturer. Akamai said it has reported the vulnerabilities to both manufacturers, and that one of them has provided assurances security patches will be released next month. Akamai said it wasn't identifying the specific devices or the manufacturers until fixes are in place to prevent the zero-days from being more widely exploited.
The Akamai post provides a host of file hashes and IP and domain addresses being used in the attacks. Owners of network video cameras and routers can use this information to see if devices on their networks have been targeted. [...] In an email, Akamai researcher Larry Cashdollar wrote: "The devices don't typically allow code execution through the management interface. This is why getting RCE through command injection is needed. Because the attacker needs to authenticate first they have to know some login credentials that will work. If the devices are using easy guessable logins like admin:password or admin:password1 those could be at risk too if someone expands the list of credentials to try." He said that both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of a fix from the second manufacturer is currently unknown. Cashdollar said an incomplete Internet scan showed there are at least 7,000 vulnerable devices. The actual number of affected devices may be higher.
Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an "outlet-based wireless LAN router built for hotels and residential applications." The router is sold by a Japan-based manufacturer, which "produces multiple switches and routers." The router feature being exploited is "a very common one," and the researchers can't rule out the possibility it's being exploited in multiple router models sold by the manufacturer. Akamai said it has reported the vulnerabilities to both manufacturers, and that one of them has provided assurances security patches will be released next month. Akamai said it wasn't identifying the specific devices or the manufacturers until fixes are in place to prevent the zero-days from being more widely exploited.
The Akamai post provides a host of file hashes and IP and domain addresses being used in the attacks. Owners of network video cameras and routers can use this information to see if devices on their networks have been targeted. [...] In an email, Akamai researcher Larry Cashdollar wrote: "The devices don't typically allow code execution through the management interface. This is why getting RCE through command injection is needed. Because the attacker needs to authenticate first they have to know some login credentials that will work. If the devices are using easy guessable logins like admin:password or admin:password1 those could be at risk too if someone expands the list of credentials to try." He said that both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of a fix from the second manufacturer is currently unknown. Cashdollar said an incomplete Internet scan showed there are at least 7,000 vulnerable devices. The actual number of affected devices may be higher.
Ethics of withholding identity? (Score:2)
I can make the argument both ways:
Pro: Give the vendors the chance to fix this while avoiding widespread common knowledge of who's vulnerable.
Con: Since this is being actively exploited by signifiant actors, users (including corporate/government users) should know if they are at risk so they can make the informed decision to continue operating (accepting risk) or to shut down until the patch is released (rejecting the exploitation risk, but with other costs.)
I'm strongly inclined to favor the Con approach
Re: (Score:2)
I can make the argument both ways:
Pro: Give the vendors the chance to fix this while avoiding widespread common knowledge of who's vulnerable.
Con: Since this is being actively exploited by signifiant actors, users (including corporate/government users) should know if they are at risk so they can make the informed decision to continue operating (accepting risk) or to shut down until the patch is released (rejecting the exploitation risk, but with other costs.)
I'm strongly inclined to favor the Con approach, but I think this is a topic worth debating here.
Extremely con. There's zero benefit to disclosing it without disclosing the manufacturer. All it can do is cause chaos and fear, because nobody affected can do anything about it, and countless people who aren't affected will be unnecessarily in a state of panic. Either disclose or don't disclose, but disclosing everything but the most important piece of information makes it sound like a scam.
Re: (Score:2)
Japan based router manufacturer... Let's see, NEC, Buffalo, IO-Data, Elecom. Must be one of them.
The problem is that even if they fix it, what are the chances that all users update? Even if they had a way of contacting every random person who bought a router from a shop, how many would take action, and how many are technically competent enough to do it?
There was a joke in a recent anime about a domestic robot that wanted its owner to update it, but the owner clearly didn't rate updates as a priority.
People
Who are you protecting? (Score:2)
It's a zero-day, actively being exploited.
If you're still debating on whether or not you should protect the vendor, ask yourself: Who are you protecting? The criminals, or the victims?
just a reminder to *our* spooks (Score:2)
The same backdoors you use to monitor what I had for breakfast can be exploited by hostile actors.
Tinfoil hat:
Insist on open source firmware.
"Vulnerable if using default credentials" (Score:2)
Umm... if you leave an identifiable device with an Internet-facing open port and use default credentials, it wouldn't seem to take a genius to do lots of malicious stuff without having any kind of actual 'exploit' required at all.
If your device has active default credentials on it, you should lose your license to use the Internet.
Re: (Score:2)
More than that: if the device in question is a router, why would it even offer the administrator console on the WAN port? In the absolute best case, having it available on the WAN is only useful if you are an idiot and plug shit in backwards.
Double extra credit if the device in question is a cable modem or fiber transceiver where it's not even possible to cross wires, because the wires are totally different connections (coax vs. ethernet, fiber vs. ethernet) and still makes the administrative interface ava
Re: (Score:2)
the isp want to have access to remote in so they can fix / look at the device and they want to make them rent only
Re: (Score:2)
the isp want to have access to remote in so they can fix / look at the device and they want to make them rent only
I blame the manufacturer for not enforcing a password reset to avoid the default password vuln.
But on top of that, what kind of moron staff works at the ISP that does not automatically do that when a device comes online?
Remote access is understandable in certain scenarios. Being a fucking idiot about it, isn't.
Re: (Score:2)
if the device in question is a router, why would it even offer the administrator console on the WAN port? In the absolute best case, having it available on the WAN is only useful if you are an idiot and plug shit in backwards.
Or it could be useful if the untrusted side of the router is on the LAN side and the trusted part is on the WAN side. Such as when the "router" (most of these in the consumer market are all in one network switch / management server / AP devices) is used for guest Wifi or spyware laden consumer crap.
Granted, you'd probably want something better than a consumer grade "router" in that case, but for most people that's about the limit of what they'd have their family IT person set up. (Assuming they knew to d
Root Cause. (Score:2)
If your device has active default credentials on it, you should lose your license to use the Internet.
If your internet device does not force a password reset as part of the setup, you should lose your manufacturing license.
Re: (Score:2)
Many of these vulnerabilities don't even require credentials, just something to anchor against. Many can be exploited by any user on the local network visiting a malicious site and executing some JavaScript. Not even any malware on the executing device, just a simple REST or similar API call to 192.168.1.1, others can execute code simply by having them handle a crafted packet, no open ports, just overflow some buffer in their simplistic firewall or NAT tables.
Re: (Score:2)
others can execute code simply by having them handle a crafted packet, no open ports, just overflow some buffer in their simplistic firewall or NAT tables
In most consumer setups, I'd assume even less. Given the whole UPnP and MDNS crap that's still enabled by default on most consumer devices. You don't even need a buffer overflow, just the network operating as intended.
Re: (Score:2)
If your device has active default credentials on it, you should lose your license to use the Internet.
There is no excuse for devices which, straight out of the box, do ANYTHING without the user first assigning new credentials of a specified length and security. There has been no such excuse for well over a decade now. Legislators are at fault for not mandating more secure default behaviour, and manufacturers are at fault because they know better.
The person who leaves a loaded gun lying around shares responsibility for any resulting injuries or fatalities resulting from it. Why should network infrastructure
Anti Malware software (Score:2)
Why so hostile? (Score:2)
All I'm hearing in the news are hostile botnets. Why aren't there any benevolent ones?