Forescout researchers discovered 14 new vulnerabilities in DrayTek routers, two of which have been rated as critical. Of the 14 security flaws nine are rated high, and three are rated medium in severity.
The flaws impact residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices.
The experts reported that over 704,000 DrayTek routers are exposed online in 168 countries, posing a serious risk to customers.
Vulnerabilities in these devices could be exploited for cyber espionage, data theft, ransomware and DoS attacks. On September 18, 2024, the FBI dismantled a botnet exploiting three DrayTek CVEs, and CISA recently two more to its Known Exploited Vulnerabilities list.
“Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe. A successful attack could lead to significant downtime, loss of customer trust and regulatory penalties, all of which fall squarely on a CISO’s shoulders.” reads the published by Forescout.
The most severe vulnerability, tracked as CVE-2024-41592 (CVSS score 10), is a DoS/RCE issue.
“The “GetCGI()” function in the Web UI, responsible for retrieving HTTP request data, is vulnerable to a buffer overflow when processing the query string parameters.” reads the advisory.
The second critical issue, tracked as CVE-2024-41585, is an OS command exec / VM escape vulnerability.
The “recvCmd” binary, which facilitates communication between the host and guest operating systems, is vulnerable to OS command injection attacks.
DrayTek already security updates to address the vulnerabilities reported by Forescout.
At this time, the company is not aware of attacks in the wild exploring the above vulnerabilities.
“While the extent of these findings was beyond expectation, it was not entirely surprising. DrayTek is among many vendors that does not appear to conduct the necessary variant analysis and post-mortem analysis after vulnerability reports — which could lead to long-term improvements.” concludes the report. “Compared to our research on OT, we found a smaller percentage of unpatched and end-of-life IT routers in DrayTek compared to OT routers (Sierra Wireless).
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, IoT)
]]>Cybersecurity researchers from Lumen’s Black Lotus Labs discovered a new botnet, named Raptor Train, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by a Chine-linked APT group (also called or RedJuliett).
The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. A command and control (C2) domain from a recent campaign even appeared on the Cloudflare Radar and Cisco Umbrella “top 1 million” lists, indicating widespread device exploitation. Researchers estimate that hundreds of thousands of devices have likely been compromised since the botnet’s creation.
“The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform application front-end that the actors have dubbed “Sparrow.” This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time.” reads the published by Lumen. “This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale.”
The three-tiered architecture consists of the following levels:
The Raptor Train botnet operates as a multi-tiered, evolving network with at least three levels of activity observed over four years. Tier 3 “Sparrow” nodes initiate bot tasks, which are routed through Tier 2 command and control (C2) servers to Tier 1 bots. Tier 1, the largest level, is composed of compromised devices with a short lifecycle, averaging 17 days. Tiers 2 and 3 use Virtual Private Servers (VPSs), lasting around 77 days, with Tier 3 primarily based in Hong Kong and China. Tier 2 servers are distributed globally, managing the control and exploitation capabilities of the bot.
Below are some of the devices included in the botnet:
Modems/Routers
IP Cameras
NVR/DVR
NAS
The attribution of the Raptor Train botnet to the Chinese nation-state actor is based on multiple factors, including the operational timelines, targeting of sectors aligned with Chinese interests, use of the Chinese language, and other tactics, techniques, and procedures (TTPs) that overlap with known Chinese cyber activities.
“This botnet has targeted entities in the U.S. and Taiwan across various sectors, including military, government, higher education, telecommunications, defense industrial base, and IT.” concludes the report. “The investigation has yielded insights into the botnet’s network architecture, exploitation campaigns, malware components, and operational use, illuminating the evolving tactics and techniques employed by the threat actors. A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use. “
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, botnet)
]]>D-Link has addressed three critical vulnerabilities, tracked as CVE-2024-45694, CVE-2024-45695, CVE-2024-45697, impacting three wireless router models. The flaws can allow attackers to remotely execute arbitrary code or access the devices using hardcoded credentials.
The manufacturer also addressed two high-severity vulnerabilities, tracked as CVE-2024-45696 and CVE-2024-45698.
On June 8, 2021, the TWCERT reported the vulnerabilities in D-Link DIR-X5460 to the company.
“When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches. The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule.” reads the . “We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer.”
Below are the descriptions of the issues addressed by D-Link:
CVE-2024-45694 (9.8 critical): The issue is a stack-based buffer overflow in the web service of certain models of D-Link wireless routers. Unauthenticated remote attackers could exploit this vulnerability to execute arbitrary code on the device. The issue impacts:
CVE-2024-45695 (9.8 critical): The issue is a stack-based buffer overflow in the web service of certain models of D-Link wireless routers. Unauthenticated remote attackers could exploit this vulnerability to execute arbitrary code on the device. The issue impacts:
CVE-2024-45697 (9.8 critical): Certain D-Link router models have a hidden feature that enables the telnet service when the WAN port is connected. This allows unauthorized remote attackers to log in and execute OS commands using hard-coded credentials. The issue impacts:
CVE-2024-45696 (8.8 high): Certain D-Link router models have hidden functionality that allows attackers to enable the telnet service by sending specific packets to the web service. Once enabled, attackers can log in using hard-coded credentials, but the telnet access is limited to the local network. The issue impacts:
CVE-2024-45698 (8.8 high): Certain D-Link router models have a vulnerability in the telnet service that allows unauthenticated remote attackers to log in using hard-coded credentials and execute arbitrary OS commands due to improper input validation. The issue impacts:
The company addressed the vulnerabilities in the in the versions v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.
The Taiwanese manufacturer did not reveal if one of the issues in the security bulletin has been actively exploited in attacks in the wild.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, RCE)
]]>Doctor Web researchers uncovered a malware, tracked as , that infected nearly 1.3 million Android-based TV boxes belonging to users in 197 countries. The malicious code acts as a backdoor and allows attackers to download and install third-party software secretly.
In August 2024, several users reported that Dr.Web antivirus detected changes in their TV box system files. The problems were observed in several models, including the R4 (Android 7.1.2), TV BOX (Android 12.1), and KJ-SMART4KVIP (Android 10.1). The indicators of compromise are similar in all cases, with modifications to system files like install-recovery.sh and daemonsu. Additionally, four new files appeared: vo1d, wd, debuggerd, and debuggerd_real. The vo1d and wd files were identified as components of Vo1d Android trojan.
“The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it.” reads the published by Doctor Web. “If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). has registered the autostart for the wd component in this file.”
The experts reported that the geographical distribution of the infections included almost 200 countries. The largest number of infections was reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.
Doctor Web observed that attackers target TV boxes because these devices often run outdated Android versions with unpatched vulnerabilities and lack updates. Many users reported devices labeled as running Android 10 or 12, but they were actually using Android 7.1. Unfortunately, often manufacturers sell older OS versions as newer ones. Users may also mistakenly believe TV boxes are more secure than smartphones and are less likely to install antivirus software, increasing their risk when downloading third-party apps or unofficial firmware. The infection source is still unknown but experts believe that is could involve malware exploiting OS vulnerabilities or unofficial firmware with built-in root access.
“Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive,” concludes the report that also includes .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, )
]]>The Sekoia TDR team identified additional implants associated with the Quad7 botnet operation. The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities.
The operators are maintaining the botnet for launching distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.
Recently Sekoia published a new report on the Quad7 botnet (aka 7777 botnet, xlogin botnet) following the discovery of several staging servers, leading the experts to discover new targets, implants and botnet clusters associated with this threat actor.
The experts identified five distinct login clusters (alogin, xlogin, axlogin, rlogin, and zylogin) associated with these botnet operators. Some of these clusters specifically target Axentra media servers, Ruckus wireless routers and Zyxel VPN appliances.
The Quad7 botnet is primarily composed of compromised TP-Link routers, with open ports for administration and proxy purposes. These routers are used to relay brute-force attacks on Microsoft 365 accounts. Similar botnets, like alogin and rlogin, target other devices, including Asus routers (alogin) and Ruckus Wireless devices (rlogin), each with distinct open ports for administration and proxy functions. The experts noticed that while alogin and xlogin have thousands of compromised devices, rlogin has only 213. Other variants like axlogin and zylogin target Axentra NAS and Zyxel VPNs respectively, but they are smaller and less observed.
The operators were also spotted using a new backdoor named ‘UPDTAE’ because of a typo. The backdoor establishes HTTP reverse shells to allow operators to remotely control the infected devices.
According to Sekoia, the operators have enhanced the botnet’s communication shifting away from using open SOCKS proxies for relaying malicious traffic in an attempt to evade detection. The botnet now uses the protocol, which communicates over UDP via a new tool called FsyNet.
“The ConUdpServer is the module that listens on port 9999 using the KCP communication protocol is used over UDP. is a Chinese library that that implements the KCP protocol, offering the same properties as TCP but provides better latency at the cost of higher bandwidth consumption.” reads the report. “Once the KCP layer is removed, communications are encrypted using a combination of hard-coded keys and IVs, which are either derived from data within the message or hard-coded within the code.”
The Quad7 operators initially made mistakes, relying on open SOCKS proxies and poorly designed code, which exposed their activities. However, they are now adapting, learning from these errors, and developing new tools like HTTP reverse shells and using more secure communication protocols, such as KCP. These changes indicate a shift toward more stealthy tactics to evade detection.
The report includes Indicators of compromise (IoCS) for this botnet.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, botnet)
]]>
Networking hardware vendor D-Link wars of multiple remote code execution (RCE) vulnerabilities in its discontinued DIR-846 router model.
The vulnerabilities CVE-2024-44341 and CVE-2024-44342 (CVSS score of 9.8) are two OS command injection issues. A remote attacker could exploit them to execute arbitrary code on vulnerable devices.
“D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability (CVE-2024-44341) via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.” .
“D-Link DIR-846W Firmware A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability (CVE-2024-44342) via the wl(0).(0)_ssid parameter.”
The vendor also addressed a remote command execution (RCE) vulnerability, tracked as CVE-2024-41622 (CVSS score of 8.8), that resides in the tomography_ping_address parameter in /HNAP1/ interface.
The fourth issue addressed by the company is a high-severity RCE vulnerability, tracked as CVE-2024-44340 (with a CVSS score of 8.8), which can be exploited by an authenticated attacker.
The security researcher Yali-1002 the above vulnerabilities.
The vendor recommends to retire and replace devices that have reached their End of Life (‘EOL’) /End of Service Life (‘EOS’) Life-Cycle.
Routers are a privileged target for threat actors and botnet operators. In January, researchers from cybersecurity firm GreyNoise exploitation attempts for the critical vulnerability CVE-2024-0769 (CVSS score 9.8) impacting all WiFi routers.
The vendor that the DIR-859 family of routers has reached their End of Life (“EOL”)/End of Service Life (“EOS”) life-cycle, and for this reason, the flaw will likely not be addressed.
Follow me on Twitter: and and Mastodon
(Security Affairs – hacking, )
]]>
Zyxel has released security updates to address a critical vulnerability, tracked as (CVSS v3 score of 9.8), impacting multiple models of its business routers.
The flaw is an operating system (OS) command injection issue that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.
An unauthenticated attacker can execute OS commands by sending a specially crafted cookie to a vulnerable device.
“Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions.” reads the . “The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”
Below is the list of affected models and related patches:
| Product | Affected model | Affected version | Patch availability |
|---|---|---|---|
| AP | NWA50AX | 7.00(ABYW.1) and earlier | |
| NWA50AX PRO | 7.00(ACGE.1) and earlier | ||
| NWA55AXE | 7.00(ABZL.1) and earlier | ||
| NWA90AX | 7.00(ACCV.1) and earlier | ||
| NWA90AX PRO | 7.00(ACGF.1) and earlier | ||
| NWA110AX | 7.00(ABTG.1) and earlier | ||
| NWA130BE | 7.00(ACIL.1) and earlier | ||
| NWA210AX | 7.00(ABTD.1) and earlier | ||
| NWA220AX-6E | 7.00(ACCO.1) and earlier | ||
| NWA1123-AC PRO | 6.28(ABHD.0) and earlier | ||
| NWA1123ACv3 | 6.70(ABVT.4) and earlier | ||
| WAC500 | 6.70(ABVS.4) and earlier | ||
| WAC500H | 6.70(ABWA.4) and earlier | ||
| WAC6103D-I | 6.28(AAXH.0) and earlier | ||
| WAC6502D-S | 6.28(AASE.0) and earlier | ||
| WAC6503D-S | 6.28(AASF.0) and earlier | ||
| WAC6552D-S | 6.28(ABIO.0) and earlier | ||
| WAC6553D-E | 6.28(AASG.2) and earlier | ||
| WAX300H | 7.00(ACHF.1) and earlier | ||
| WAX510D | 7.00(ABTF.1) and earlier | ||
| WAX610D | 7.00(ABTE.1) and earlier | ||
| WAX620D-6E | 7.00(ACCN.1) and earlier | ||
| WAX630S | 7.00(ABZD.1) and earlier | ||
| WAX640S-6E | 7.00(ACCM.1) and earlier | ||
| WAX650S | 7.00(ABRM.1) and earlier | ||
| WAX655E | 7.00(ACDO.1) and earlier | ||
| WBE530 | 7.00(ACLE.1) and earlier | ||
| WBE660S | 7.00(ACGG.1) and earlier | ||
| Security router | USG LITE 60AX | V2.00(ACIP.2) | V2.00(ACIP.3)* |
Chengchao Ai from the ROIS team at Fuzhou University discovered the vulnerability.
Zyxel routers were already targeted by threat actors in the past, in August 2023, a variant of the botnet , tracked as (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, routers)
]]>Between October 25 and October 27, 2023, the malware destroyed more than 600,000 small office/home office (SOHO) routers belonging to the same ISP.
Black Lotus did not name the impacted ISP, however, Bleeping Computer the attack is linked to the Windstream outage that occurred during the same timeframe.
(ChaCha-Lua-bot) is a Linux malware that in late August 2018 by Sophos Labs while targeting IoT devices. Threat actors aimed at creating a botnet used to launch DDoS attacks.
The malware borrows code from the Xor.DDoS and Mirai bots, it also implements fresh evasion techniques, such as encrypting both the main component and its corresponding Lua script using the ChaCha stream cipher.
The attackers used brute-force attacks (using the root:admin credential) on SSH servers to distribute the bot.
In 2023 attacks observed by Lumen, the bot targeted ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380 router models.
Public scan data confirmed that took offline 49% of all modems from the impacted ISP’s autonomous system number (ASN) during the attacks. The infections rendered the devices inoperable, and required a hardware-based replacement.
Lumen researchers speculate that the threat actors used commodity malware instead of custom tools to make attribution difficult. At the time of the report, the researchers have yet to find a link to known nation-state activity clusters. The experts believe with high confidence that the malicious firmware update was a deliberate act intended to cause an outage. The attack only impacted a single ASN.
The attack roughly damaged 179,000 ActionTec and 480,000 Sagemcom routers. Most of the infections are in the US, Brazil and China.
“Our analysis revealed that one specific ASN had a drop of roughly 49% in the number of devices exposed to the internet.” reads the published by Lumen. “We compared the banner hashes that were present on this ASN on October 27, to the banner hashes present on October 28th and observed a drop of ~179k IP addresses that had an ActionTec banner. This included a drop of ~480k devices associated with Sagemcom, likely the Sagemcom F5380 as both this model and the ActionTec modems were both modems issued by the ISP.”
The researchers did not discover an exploit used for initial access, they speculate threat actor likely used weak credentials or exploited an exposed administrative interface.
The first-stage payload is a bash script (“get_scrpc”) that fetches a second script called “get_strtriiush.” get_strtriiush retrieves and executes the primary bot payload, “Chalubo” (“mips.elf”). Chalubo runs in the memory of the targeted device and wipes all files from the disk. It also changes the process name after its execution to avoid detection.
The researchers noticed that the newer version of the malware does not maintain persistence on the infected devices.
Between September and November 2023, the research discovered that there were about 45 malware panels exposed on the internet. While 28 of the panels interacted with 10 or fewer bots, the top ten panels interacted with anywhere between ~13,500 to ~117,000 unique IP addresses over a 30-day timeframe. The analysis of the telemetry associated with those IP addresses revealed that over 650K unique IP addresses had contact with at least one controller over a 30-day period ending on November 3.
95% of the bots communicated with only one control panel a circumstance that suggests the entity behind these operations had distinct silos of operations.
“The event was unprecedented due to the number of units affected – no attack that we can recall has required the replacement of over 600,000 devices. In addition, this type of attack has only ever happened once before, with used as a precursor to an active military invasion.” concludes the report. “At this time, we do not assess this to be the work of a nation-state or state-sponsored entity. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as , or SeaShell Blizzard. The second unique aspect is that this campaign was confined to a particular ASN.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Chalubo)
]]>The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.
The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.
“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”
The U.K. is the first country in the world to ban default credentia from IoT devices.
The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.
The law applies to the following products:
Threat actors could use them to access a local network or launch cyber attacks.
Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.
The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, smart device manufacturers)
]]>
Bitdefender researchers discovered multiple vulnerabilities in LG webOS running on smart TVs that could be exploited to bypass authorization and gain root access on the devices.
The vulnerabilities discovered by the researchers impact WebOS versions 4 through 7 running on LG TVs.
“WebOS runs a service on ports 3000/3001 (HTTP/HTTPS/WSS) which is used by the LG ThinkQ smartphone app to control the TV. To set up the app, the user must enter a PIN code into the display on the TV screen.” the advisory. “An error in the account handler lets an attacker skip the PIN verification entirely and create a privileged user profile.”
The researchers pointed out that despite the vulnerable service is intended for LAN access only, querying Shodan they identified over 91,000 devices that expose the service to the Internet. At this time, the number of exposed devices decreased to 88,000. Most of the Internet-facing devices are in South Korea, Hong Kong, the U.S., Sweden, and Finland.
Below is the list of vulnerabilities discovered by the experts in November 2023:
The vulnerabilities impact the following webOS versions:
Below is the disclosure timeline:
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, smart TVs)
]]>