Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label IOT Security. Show all posts
Vulnerability Exploits
AWS Cloud Outage Risks Cyber Threats DDOS Attacks Firmware Security IOT Security malware Mirai Network Defense ShadowV2 Botnet Vulnerability Exploits

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.
Read more »
Wireless Encryption
Cybersecurity home network protection IOT Security Online Safety Privacy Wi-Fi Security Wireless Encryption

Experts Advise Homeowners on Effective Wi-Fi Protection


 

Today, in a world where people are increasingly connected, the home wireless network has become an integral part of daily life. It powers everything from remote working to digital banking to entertainment to smart appliances, personal communication, and smart appliances. As households have become more dependent on seamless connectivity, the risks associated with insecure networks have increased. 

It is not surprising that cybercriminals, using sophisticated tools and constantly evolving tactics, continue to target vulnerabilities within household setups, making ordinary homes a potential gateway to data theft and invasion. In recognition of the urgency of this issue, cybersecurity experts and industry experts have consistently emphasized the need for home Wi-Fi security to be strengthened. 

The companies that provide these types of solutions, such as Fing, have helped millions of users worldwide with tools such as Fing Desktop and Fing Agent, are at the forefront of this effort. Fing offers visibility and monitoring, along with expert guidance to everyday users. These experts have put together practical measures based upon global trends and real-world experiences, and they are designed to appeal not just to tech-savvy individuals but also to ordinary homeowners, ensuring that the safeguarding of digital life does not just become an optional part of modern life, but becomes an integral part of it as well. 

The use of radio frequency (RF) connections between devices has made wireless networks a fundamental part of everyday life, integrated into homes, businesses and telecommunication systems as well. However, despite their widespread usage, the technology remains largely misunderstood even today. 

Although many people still confuse wireless and Wi-Fi, the term encompasses a wide range of technologies, including Bluetooth, Zigbee, LTE, and 5G technology, which are all part of the wireless network. This lack of awareness is not merely an academic one, as it has real security implications since Wi-Fi is only a portion of this larger ecosystem outlined by IEEE's 802.11 standards, as opposed to Wi-Fi. 

Unlike traditional wired connections, such as Ethernet, wireless networks enable malicious actors to operate remotely, without requiring physical access to infiltrate the network. As cybercriminals are becoming increasingly dependent on wireless connectivity, these networks have become prime hunting grounds for cybercriminals, since remote targeting is so easy. 

Due to this, the demand for robust wireless security solutions is expected to continue to increase, as individuals as well as organizations struggle to identify intrusions and defend themselves against increasingly sophisticated threats, as well as identify intrusions. It is evident from the evolution of wireless encryption standards that network security must continually adapt to meet the sophistication of cyber threats that are prevailing today. 

Throughout the history of the Internet, people have witnessed technological advances and also the pressing need for users to be vigilant not just due to the outdated and vulnerable WEP protocol but also due to the robust safeguards offered by WPA3. While upgrading to the latest standards is important, security experts emphasize that by using layered approaches to security, the real strength of a secure network lies in combining encryption with sound practices such as using strong password policies, regularly updating firmware, and ensuring that devices are properly configured. 

The adoption of updated standards is not only an excellent practice for businesses; it's also a legal, financial, and reputational shield that protects them from legal, financial, and reputational harm. For households, this translates into peace of mind, knowing that their private information, smart devices, and digital interaction are protected against threats that are always evolving. The rapid development of wireless technologies, including the rise of 5G and the Internet of Things (IoT), continues to make it essential to embrace the current security protocols as a precautionary measure. 

By taking proactive steps today, both individuals and organizations can ensure that their digital futures are safer and more resilient. Increasingly, home Wi-Fi networks have become prime targets for cybercriminals, exposing users to numerous risks that range from unauthorized access, data theft, malware infiltration, and privacy breaches if their connections are unsecured. 

In the world of cybersecurity, even simple oversights—for example leaving the router settings unchanged—can be a gateway to attacks. First of all, changing the default SSID of a router can be an effective way to protect a router, as factory-set names reveal the router's make and model, making it easier for hackers to exploit known vulnerabilities. 

In addition to setting strong, unique passwords, professionals emphasize the importance of enabling modern encryption standards such as WPA3 that offer far greater protection than outdated protocols such as WEP and WPA, and that go beyond simple phrases or personal details. There is also the importance of regularly updating router firmware, as manufacturers release patches to address newly discovered security holes on a frequent basis. 

Besides disabling remote management features, enabling the built-in firewall, and creating separate guest networks for visitors, there are several other measures which can help reduce the vulnerability to intrusions as well. A Virtual Private Network (VPN) is an excellent way to enhance the security of a household's communications even further. 

By using these VPNs, households can add a valuable layer of encryption to the communication process. Simple habits, such as turning off their Wi-Fi when not in use, can also strengthen defenses. Ultimately, cybersecurity experts highlight that technology alone isn't enough; it's crucial to encourage awareness among the household members as well. 

In order to ensure that all family members share the responsibility of protecting the home network, it is vital to teach them how to conduct themselves when they are online, avoid phishing traps, and keep passwords safe. In the era of digital technology, the need to secure home Wi-Fi has become an essential part of safeguarding the users' personal and professional lives, not only because of its convenience but also because of its fundamental necessity. 

In addition to technical adjustments and preventative measures, experts advise households to adopt a proactive approach to cybersecurity—viewing it as a daily practice, rather than as a one-time task. In addition to shielding sensitive information and preventing financial losses, this approach also ensures uninterrupted internet access for work, study, and entertainment, as well as ensuring a safe and secure online environment.

As a result of strong defenses at the household level, cybercriminals are able to reduce the opportunities for them to exploit communities as a whole, thereby reducing the threat of cybercrime. The importance of secure Wi-Fi is only going to grow exponentially in the future as the number of Internet of Things (IoT) devices grow exponentially, from camera smarts to personal assistants, and this in itself stresses the need for vigilance in the future as technology becomes more deeply embedded into daily life. 

The key to transforming our Wi-Fi networks from potential vulnerabilities into trusted digital gateways is staying informed, purchasing secure equipment, and educating our family members. By doing so, families can enhance their Wi-Fi networks so that they can serve as trusted digital gateways, protecting their homes from the invisible threats people are facing today while reaping the benefits of living connected.
Read more »
Technology
Ascon algorithm Constrained Devices Cryptography Cybersecurity Standards IOT Security Lightweight Cryptography NIST RFID Technology

NIST Issues Lightweight Cryptography Standard to Secure Small Devices

 


A new lightweight cryptography standard has been finalized by the National Institute of Standards and Technology (NIST), aiming to enhance the security of billions of connected devices worldwide. It is intended to provide protection for small, resource-constrained technologies that have limited resources. Whether they be Internet of Things (IoT) sensors, RFID tags, or even medical implants, these devices have a limited memory, power, and processing capacity, allowing them to be vulnerable to modern cyber attacks due to their limited memory, power, and processing capability. 

As a result, NIST has issued Special Publication 800-232, which establishes Lightweight Cryptography Standards for Constrained Devices based on Ascon. An authentication framework as part of this framework allows for the use of tools for authenticated encryption and hashing that minimize energy consumption, memory usage, and computation demands without compromising on robust security. 

The Ascon algorithm family, which forms the basis for the standard, was originally developed in 2014 by Graz University of Technology researchers, Infineon Technologies researchers, and Radboud University researchers. Ascon has already proven its resilience by participating in the international CAESAR competition which was launched in 2023, and has since emerged as a leader in lightweight encryption, now elevated to an official benchmark for securing the next generation of connected technologies, following a rigorous global review process. 

The NIST has developed its new standard in order to deliver robust protection in situations where conventional cryptographic techniques are often too heavy and cannot be implemented as soon as possible, taking into account the fact that even the smallest digital components play an important role in today's interconnected world. 

Ascon-Based Lightweight Cryptography Standards for Constrained Devices was published as Special Publication 800-232 to introduce specialized tools for authenticated encryption and hashing suited to safeguard information generated and transmitted by billions of Internet of Things (IoT) devices, RFID tags, toll transponders, and medical implants in the form of encrypted data. There are numerous ways to attack these tiny technological devices, but they are equally vulnerable to cyberattacks as smartphones or computers. 

With lightweight cryptography, it is possible even resource-constrained electronics can be able to resist modern security threats without exceeding their performance limits without exceeding their performance limits, and this is the key to ensuring a balance. It is the NIST's intention to formalize this standard, which aims to address a long-standing threat in digital security. 

By establishing the new standard, NIST offers a practical, scalable and attainable defense for the rapidly expanding ecosystem of connected devices. The newly established standard is based on the Ascon algorithm family, which was selected after a rigorous, multi-round public review process in 2023. It has been developed since 2014 by researchers at Graz University of Technology, Infineon Technologies, and Radboud University. 

It is a cryptographic protocol that has been extensively tested for its security and has gained international recognition for its performance. In 2019, when the prestigious CAESAR competition named it the top choice for lightweight encryption, this solidified its credibility as a robust encryption solution that is resistant to multiple types of attacks. Four Ascon variants have been incorporated into the NIST framework, each aiming to meet a unique requirement of constrained devices. 

The ASCON-128 AEAD is an authenticated encryption system with associated data that allows devices to both secure and verify information, while offering increased protection against side-channel attacks, an increasingly common threat where adversaries exploit subtle hints, such as power consumption or processing time, for their attacks.

The ASCON-Hash 256 technology complements this by delivering a lightweight mechanism for ensuring data integrity through generating unique fingerprints of information that can detect tampering, assist with software updates, and enhance security of passwords as well as digital signatures. In order to increase hashing capacity and flexibility, ASCON-XOF 128 and ASCON-CXOF 128 offer longer hash lengths on low-power devices to reduce energy consumption and saving time, while the CXOF variant also adds custom labeling to prevent collisions that might be exploited by an attacker. 

Despite its immediate adoption, the standard has also been designed to be scalable in order to evolve along with the future needs of an expanding digital ecosystem, according to NIST cryptography expert Kerry McKay, who emphasizes that the standard is not just for immediate adoption. At the heart of the new standard is a suite of four interrelated algorithms derived from the Ascon family of cryptographic primitives. 

It was introduced in 2014 at the Eurocrypt Conference, and was designed specifically for high performance in environments that are constrained. There are three types of encryption algorithms that are included in the package: a key-derivation function, a hash function, and an authenticated encryption algorithm, all of which offer developers a range of choices that are suitable for the specific needs of their applications. NIST chose Ascon as its processor because of its emphasis on simplicity, efficiency, and resilience, qualities that are crucial for devices that have limited processing power, memory, and power supply. 

IoT devices, RFID tags, and embedded systems are often exposed to cyber threats due to the fact that conventional algorithms, including Advanced Encryption Standard (AES) and Secure Hash Algorithm 2 (SHA-2), are often overburdened by computational requirements, so they are vulnerable to cyber threats ranging from data breaches to denial-of-service attacks. 

By delivering comparable levels of security with a fraction of the computation overhead that traditional cryptography requires, lightweight cryptography bridges this gap. There was a public call for algorithms in 2016 that led to this standard, followed by years of intensive analysis and rigorous testing, which included evaluations across microcontrollers and embedded platforms, as well as extensive analysis of both theoretical and practical aspects of algorithms. 

Through this thorough vetting, Ascon was able to distinguish itself as offering robust security, ease of implementation, and adaptability across a variety of hardware environments by implementing a robust security framework. It goes beyond the Internet of Things, reaching into domains such as wireless sensor networks, industrial control systems, and smart cards that are increasingly in need of interoperability and secure communication protocols. 

With the release of Special Publication 800-232, NIST not only provides developers with well-vetted cryptographic tools but also lowers the barriers that developers need to overcome when designing secure systems in environments that were previously considered too constrained for modern encryption techniques. Having reached this milestone, NIST has shown that it is committed to addressing the unique security challenges posed by the rapid proliferation of small, networked devices. Ascons is also positioned as an integral part of NIST's next-generation cryptography efforts. 

It is not just a technical milestone that NIST has finalized its lightweight cryptography standard, but a strategic investment into making sure that the digital infrastructure that underpins modern life is resilient. It is inevitable that security challenges will only become more complex as billions of devices continue to be connected to healthcare, transportation, energy, and consumer technologies. In introducing a standardized, rigorously vetted framework that combines strength with efficiency, NIST has laid the foundation for a new era of secure design practices in environments that were once unprotected. 

Experts in the industry note the potential benefits of a widespread adoption of such standards, including more trust in emerging technologies, a better understanding of how hardware and software are developed to be secure, and less vulnerability that is prone to causing systemic risks in the future. Although future cryptographic advances may continue to evolve, the Ascon-based framework has already taken a significant step towards ensuring that even the smallest devices - often overlooked but crucial - no longer become the weakest link in the digital environment. 

Moreover, NIST aims to enhance its role as the global leader in cryptographic standardization and research by providing guidance and guidance to the government as well as industries towards a more secure, interoperable, and resilient technological future.
Read more »
zero Trust architecture
Cyber Attacks IOT Security Microsegmentation Ransomware Defense zero Trust architecture

Defending Against IoT Ransomware Attacks in a Zero-Trust World

IoT Ransomware

Defending Against IoT Ransomware Attacks in a Zero-Trust World

In our interconnected digital landscape, the proliferation of Internet of Things (IoT) devices has revolutionized how we live and work. From smart homes to industrial automation, IoT devices play a pivotal role in enhancing efficiency and convenience. 

However, this rapid adoption also brings forth significant security challenges, with ransomware attacks targeting vulnerable IoT endpoints. In this blog, we explore the critical need for defending against IoT ransomware attacks within a zero-trust framework.

The Growing Threat Landscape

1. Nation-State Actors and Unprotected IoT Sensors:

Sophisticated adversaries, including nation-state actors, exploit unprotected IoT sensors.

These sensors are critical for infrastructure, manufacturing, and essential services.

Recent attacks have targeted U.S. and European entities, emphasizing the urgency of securing IoT ecosystems.

2. Ransomware’s Escalation:

Ransomware attacks have surged, impacting critical sectors such as manufacturing and industrial control systems (ICS).

During Q2 2023, 70% of all ransomware attacks targeted the manufacturing sector.

The consequences extend beyond financial losses; they disrupt operations, compromise safety, and erode trust.

The Challenge of Ransomware Defense

1. Beyond Reactive Measures:

Ransomware defense requires a proactive approach rather than reactive firefighting.

Security professionals must continuously assess and enhance their defenses.

Assistive AI tools can augment human capabilities by automating routine tasks, allowing experts to focus on strategic decisions.

2. The Adversary’s Arsenal:

Well-funded attackers recruit AI and machine learning experts to create advanced attack tools.

They possess extensive knowledge about target networks, often surpassing that of administrators.

To counter this, defenders must leverage AI for threat detection and response.

The Role of Zero Trust

1. Zero Trust Architecture:

Zero Trust principles advocate for a fundamental shift in security mindset.

Assume that no device or user is inherently trustworthy, regardless of their location within the network.

Implementing zero trust involves continuous verification, least privilege access, and microsegmentation.

2. Microsegmentation and Assured Identity:

Microsegmentation isolates IoT devices and operational technology (OT) networks from IT and OT networks.

By creating granular security zones, organizations reduce the attack surface.

Assured identity ensures that only authorized entities communicate with IoT devices.

Practical Steps for Defending Against IoT Ransomware

1. Visibility and Inventory:

Organizations must gain visibility into their IoT devices and endpoints.

Regularly update and maintain an accurate inventory of connected devices.

Identify vulnerabilities and prioritize patching.

2. Network Segmentation:

Employ network segmentation to isolate critical systems from potentially compromised devices.

Implement firewalls and access controls to prevent lateral movement.

3. Behavioral Analytics:

Leverage behavioral analytics to detect anomalous activities.

Monitor device behavior patterns and identify deviations.

Promptly respond to suspicious events.

4. Education and Training:

Educate employees and users about IoT security best practices.

Encourage strong password hygiene and awareness of phishing threats.

Foster a security-conscious culture.

Read more »
Vulnerabilities and Exploits
Application Security Camera Bug IOT Security Malicious Code Vulnerabilities and Exploits

Multiple Security Bugs Identified in EZVIZ Smart Cams

 

The vulnerabilities allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely. 

Security analysts at Bitdefender have published a detailed analysis on vulnerabilities in several lines of EZVIZ Internet of Things (IoT) cameras, a smart home security brand used across the globe. The vulnerabilities unearthed in at least five EZVIZ camera models could allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.

"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images, and decrypt them," the researchers explained. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras." 

The vulnerabilities spotted in the affected device models are listed below: - 

• CS-CV248 [20XXXXX72] - V5.2.1 build 180403 
• CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719 
• CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208 
• CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731 
• CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 22012 

Threat analysts discovered the first vulnerability (tracked as CVE-2022-2471) in the ‘configMotionDetectArea’ API endpoint. Subsequently, they identified an insecure direct object reference vulnerability at multiple API endpoints that pave a path for hackers to gain access to the camera, and a third remote vulnerability allows hackers to exfiltrate the encryption key for the video. 

The final security bug, tracked under CVE-2022-2472, lets a hacker recover the administrator password and control the device. 

“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to the video feed,” said Dan Berte, director, IoT Security at Bitdefender. One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection.” 

The researchers advised users to apply the patches, update the software immediately, and regularly visit the manufacturer’s website for any EZVIZ camera security-related news. 

Last year in August, BitDefender security experts unearthed multiple zero-day vulnerabilities in a home baby monitor, made by China-based developer Victure. In a security report, researchers disclosed the stack-based buffer flaw present in the ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When exploited, hackers can discover cameras (not owned by them) and command devices to broadcast camera feeds to a third party and exploit the camera firmware.
Read more »
NAS
Antivirus Botnet CVE CVE vulnerability IOT Security Malicious Payload malware NAS

BotenaGo Botnet is Targeting Millions of Routers and IoT Devices

 

A new botnet malware called BotenaGo has been discovered in the wild. The malware has the capability to exploit millions of susceptible IoT (Internet of Things) products and routers.

Discovered by AT&T labs, BotenaGo is designed using the Go programming language, which has been gaining popularity of late. Threat actors are using it for making payloads that are harder to detect and reverse engineer. 

According to Bleeping Computer, BotenaGo is flagged by only six out of the 62 antivirus engines on VirusTotal, with some falsely identifying it as the Mirai botnet. 

The botnet incorporates 33 exploits for a variety of routers, modems, and NAS devices, with some notable examples given below: 

  • CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
  •  CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices 
  • CVE-2019-19824: Realtek SDK based routers 
  • CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices 
  • CVE-2020-10987: Tenda products 
  • CVE-2014-2321: ZTE modems 
  • CVE-2020-8958: Guangzhou 1GE ONU 

“To deliver its exploit, the malware first queries the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions,” reads the blog post published by AT&T. 

“The string “Server: Boa/0.93.15” is mapped to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, allowing the attacker to execute an OS command via a specific web request (CVE-2020-8958).” 

The new botnet targets millions of devices with functions that exploit the above flaws, for example querying Shodan for the string Boa, which is a discontinued open-source web server used in embedded applications, and one that still returns nearly two million internet-facing devices on Shodan. Once installed, the malware will listen on the ports 31412 and 19412, the latter is used to receive the victim IP. Once a connection with information to that port is received, the bot will exploit each vulnerability on that IP address to gain access. 

Furthermore, the security researchers didn't discover an active C2 communication between BotenaGo and an actor-controlled server, these are possible scenarios hypothesized by the experts: 

1. The malware is part of a multi-stage modular malware attack, and it's not the one responsible for handling communications. 

2. BotenaGo is a new tool used by Mirai operators on specific machines that are known to them, with the attacker(s) operating the infected end-point with targets. 

3. The malware is still under development and was released in the wild accidentally.
Read more »
ransomware attacks
cyber attack IoT IoT devices IOT Security Ransom Attack Ransomware ransomware attacks

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

Read more »
Vulnerabilities. IoT
COVID-19 Cybersecurity Interviews IoT devices IOT Security Ransomware attack Technology Vulnerabilities. IoT

Active Cypher: Great Deal of Orchestration of Our Intelligence in AI into Existing Systems

 
Active Cypher: The company is built upon a socially responsible fabric, that provides information security for individuals and corporations in an increasingly complex digital age. The guest speaker for the interview was Mr. Michael Quinn, CEO, and Mr. Caspian Tavallali, COO Active Cypher. Active Cypher’s Ransom Data Guard utilizes a combination of Active Cypher’s proprietary encryption orchestration, smart AI, and advanced endpoint protection. 
 
Please tell us about your company Active Cypher? 
 

I am Michael Quinn, CEO of Active Cypher. We are a data protection company; we have an ethos within a company that the data needs to be able to protect itself wherever it is created. We have built a product line that offers those capabilities of protection against ransomware attacks through protecting data at the file level in the server environment and in the cloud. What our product allows us to do is be crypto agile. We can work with numerous encryption schemes. Once we are installed we basically back out of the situation and allow the client to run and trust their own data. 

 
Your company talked about game-changing software “Ransom Data Guard” that will protect organizations against ransomware threats. Please describe more about it. 
 
What we developed is a capability where understanding what ransomware has to do in order to take control of the device in a user environment. We built a product just before the Covid-19 and work from home culture started and we realized that people are using shared environments on the same device at home. So we basically allow the organization to encrypt the data down to the device level and protect it. The ransomware protection that we provide basically allows us to manage the files in such a way that they are not accessible to external sources like ransomware. We put this product along with our cloud fortress product to make sure that we were meeting compliance regulations. What we found after working with the law firms is we allow the companies to meet compliance through this capability if the product was ransomed or even if it was exfiltrated because we encrypt the data so the actual data itself is useless. On the ransomware side, the beauty of it is we allow a lot of flexibility in how the data can be stored and used. 
 
Besides ransomware protection, what are the other solutions Active Cypher provides? 
 
We do a great deal of orchestration of our intelligence in AI into existing systems, we integrate into Microsoft tools as well as we have APIs that can write to any of the tools that are out there. We don’t bring in to replace anything or add to anybody’s burden, we integrate into it with our information.  
 
Let’s say somebody opens a doc. file or they load up a doc. file which has an exploit. How do you handle that? 

If somebody uploads an exploit or malware and when it’s opened, because of the process we use to interrogate the document for its integrity, we will stop any process that is trying to intervene with the environment and we’ll put a warning out. What will happen is you’ll get an alert from us, let’s say you open up a “wannacry” as an example, you will get a screenshot saying “your device has been ransomed.” The reality is you can still open all your files. What we do is, with our cloud fortress product, we do a real-time backup. 
 
At a time when hospitals and medical institutions are struggling with Covid-19, how has Active Cypher protected them from ransomware threats? 

In most of the hospitals and medical environments, their IT staff lacked the sophistication to understand what was happening. Earlier, the attackers were not really trying to damage the data, they were trying to ransom it and return it. Now what the attackers are doing is, that they are actually getting into the environment and not going after the data because most of the hospitals have upgraded their capabilities along with using our products. Now, the hackers are attacking the IoT (internet of things) at the device level, which is more life-threatening. What we have done to help healthcare institutions is basically putting a “Data Guard” which is the stand-alone ransomware product on devices. 
 
How do you handle the GDPR (General Data Protection Regulation) and Privacy requirements when it’s the home environment? 

With “Data Guard,” the way the product is designed, it can be installed on a consumer device. In that environment it allows people to protect what they have like personal data or business data that they have on their device is protected. And that’s the simplicity of Data Guard, is the fact that it protects your device and the files on it and ensures that ransomware can’t launch successfully.  
 
With cyberattacks rising, is there any advice you can give to our readers on cybersecurity? 

Everybody has to be aware, you don’t have to be afraid. With the stress of work, particularly with this remote work environment, the user has to be more diligent. So, ease of use and awareness are probably the keys to maintaining good data hygiene.
Read more »
IOT Security
Cybersecurity Hacking the Internet of Things IoT IoT devices IOT Security

Internet of Things (IoT): Greater Threat for Businesses Reopening Amid COVID-19 Pandemic

 

Businesses have increasingly adopted IoT devices, especially amid the COVID-19 pandemic to keep their operations safe. Over the past year, the number of IoT devices employed by various organizations in their network has risen by a remarkable margin, as per research conducted by Palo Alto Networks' threat intelligence arm, Unit 42. 
 
While looking into the current IoT supply ecosystem, Unit 42 explained the multi exploits and vulnerabilities affecting IoT supply chains. The research also examined potential kinds of motivation for exploiting the IoT supply chain, illustrating how no layer is completely immune to the threat.  

The analysis of the same has been reported during this year's National Cybersecurity Awareness Month (NCSAM), which is encouraging the individual's role in protecting their part of cyberspace and stressing personal accountability and the significance of taking proactive measures to strengthen cybersecurity. 
 
The analysis also noted that supply chain attacks in IoT are of two types – through a piece of hardware modified to bring alterations in a device's performance or from software downloaded in a particular device that has been affected to hide malware. 
 
While highlighting a common breach of ethics, the research mentioned the incorporation of third-party and hardware components without making a list of the components added to the device. The practice makes it hard to find how many products from the same manufacturer are infected when a vulnerability is found on any of the components. Additionally, it also becomes difficult to determine how many devices across various vendors have been affected in general, by the vulnerability.

"The main goals for cyberespionage campaigns are maintaining long-term access to confidential information and to affected systems without being detected. The wide range of IoT devices, the access they have, the size of the user base, and the presence of trusted certificates make supply chain vendors attractive targets to advanced persistent threat (APT) groups..." the report stated. 
 
"In 2018, Operation ShadowHammer revealed that legitimate ASUS security certificates (such as “ASUSTeK Computer Inc.”) were abused by attackers and signed trojanized softwares, which misled targeted victims to install backdoors in their system and download additional malicious payloads onto their machines." 
 
While putting things in a cybercrime perspective, the report noted - "The potential access and impact of compromising a large number of IoT devices also make IoT vendors and unprotected devices popular choices for financially motivated cybercriminals. A NICTER report in 2019 shows close to 48% of dark web threats detected are IoT related. Also in 2019, Trend Micro researchers looked into cybercriminals in Russian-, Portuguese-, English-, Arabic-, and Spanish-speaking marketplaces and discovered various illicit services and products that are actively exploiting IoT devices." 
 
The report stressed the need to "enlist" all the devices connected to a certain network as it will help in identifying devices and their manufacturers, enabling administrators to patch, monitor, or even disconnect the devices when needed. There are instances when all the vulnerable devices are unknown in the absence of a complete list, therefore it is imperative to have complete visibility of the list of all the connected devices in order to defend your infrastructure. 
Read more »
Privacy
IoT IoT devices IOT Security Privacy

Bot List Containing Telnet Credentials for More than 500,000 Servers, Routers and IoT Devices Leaked Online


This week, a hacker published a list on a popular hacking forum containing Telnet credentials for over 515,000 servers, home routers and IoT (Internet of Things) "smart" devices. The massive list which reportedly was concluded by browsing the whole internet in search of devices that left their Telnet port exposed, included IP addresses of all the devices, username and password for the Telnet service and a remote access protocol that can be employed to control devices over the internet.

After scanning the Internet in search of devices exposing their Telnet port, the hacker attempts to use either factory-set default usernames and passwords or custom but guessable combinations, as per the statements by the leaker himself.

These lists, generally kept private – are known as 'bot lists' that are built after hackers scan the Internet and then employed them to connect to the devices and install malware. Sources say that although there have been some leaks in the past, this one is recorded as the biggest leak of Telnet passwords till date.

As per the reports of ZDNet, the list was made available online by one of a DDoS-for-hire (DDoS booter) service's maintainer. There's a probability that some of these devices might now run on a different IP address or use other login credentials as all the leaked lists are dated around October-November 2019. Given that using any of the listed username and password to access any of the devices would be illegal, ZDNet did not use it. Therefore, they were not able to comment on the validity of these credentials.

A security expert in the field of IoT, requesting for anonymity, tells that even if some of the listed credentials are invalid by the time for devices now have a new IP address or password. However, the listings still hold a lot of value for a skillful and talented attacker who can possibly use the present information in the list to identify the service provider and hence update the list with the current IP addresses.

Certain authentic and verified security researchers are given access to the list of credentials as they volunteered for it.
Read more »
Web Apps
Cyber Attacks IOT Security Web Apps

Attacks on IoT devices and WebApps on an extreme rise for the Q3

Ransomware threats and Malware numbers have fallen but are presently more active and dangerous. More than 7.2 Billion virus attacks originated from January to September in the year 2019. Also, 151.9 million ransomware crimes were found.

Important conclusions cover:

  • IoT malware mounted to 25M, a tremendous 33% rise 
  • Encrypted attacks rose to 58% 
  • Web application threats are on the increase, revealing a 37% rise during the same time for last year Malware threats reached 7.2 Billion 
  • Ransomware threats hit 151.9 million 
  • 14% of the malware threats were received from non-standard gates


"The attacks may be dropping down for the moment but the truth is the figures of threats are still extremely high and more dangerous in history. We have reported a rise in geographical threats in America and involving the UK and Germany. The researchers at our lab are also investigating distinct and increasing threat vectors, like surface channel threats and tricks," says The SonicWall Capture Threat Network. “While observing the ransomware range, we also recognize that ransomware attacks tricks have evolved,” says SonicWall CEO and President Bill Conner.

“Earlier, the hackers aimed at the number of viruses but today we are witnessing that hackers concentrate on less more eminent victims for expanding sideways. This change in tricks also witnessed a similar increase in the payment demands through ransomware attacks, as the criminals try to steal high payment from the few, but profitable victims such as hospitals and regional districts." “The evidence reveals that cyber-criminals are becoming better at attacks, more specific and more careful. Companies should be careful and make more stringent safety laws in their institutions to overcome the menaces that our experts have found,” says Conner.

He further adds “we suggest that organizations should adopt a combined and multilayered safety program that gives solid security beyond all systems to avoid being the cover story for cyber attack news”. Phishing threats are matching series with malware and ransomware attacks. However, the attacks are also going down at a rate of 32% each year, a figure that has been the same for most of the time this year.
Read more »
Smart Devices Hacked
IOT Security Russian Cyber Security Smart Devices Hacked

Hackers Using Smart Devices to Launch Phishing Attack against Russian Business


Cybersecurity experts recorded a unique mass attack on Russian business. It is unique because hackers disguised themselves as well-known brands and used smart devices. This is the first mass attack of this kind.

Hackers presented themselves as representatives of famous brands, including retail chains, construction and oil companies. They sent e-mails with malicious software, in particular, on behalf of the Auchan hypermarket chain, or on behalf of the transnational energy Corporation Gazprom, qualitatively copying their style.

The e-mails contained the encryption virus Shade/Troldesh, it encoded files on users devices and demanded from them a fee for access to them.

Vladimir Dryukov, Director of the Solar JSOC Cyber Attack Monitoring and Response Center, noted that the intensity of this phishing mailing is several times higher than usual. According to him, the attack affected about 50 largest companies in Russia, whose employees received 10-50 letters a day. Group-IB experts recorded up to 2000 mailings per day.

The main feature of these attacks is the use of smart devices, for example, hacked routers around the world, as they are much more difficult to track. In addition, virus emails can be sent from any device that is capable of it, for example, modems, ecosystems of smart homes, network storage. Experts believe that in the future the number of hacker attacks using them will only grow.

"Usually IOT devices are used for DDoS attacks. Sending phishing emails from routers is still exotic, " said Vladimir Dryukov.

It is worth noting that the attacks on Russian companies began in November, but their peak came in February. Which companies were attacked and how much damage was caused to them is not disclosed.
Read more »
Subscribe to: Comments (Atom)