Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Routers. Show all posts
TheMoon
Cyber Security Financial Exploit IoT devices Routers TheMoon

Malware Targets End-of-Life Routers and IoT Devices

 




A recent investigation by Black Lotus Labs team at Lumen Technologies has revealed a concerning trend in cybercriminal activity targeting end-of-life (EoL) routers and IoT devices. The research sheds light on a sophisticated campaign utilising updated malware known as TheMoon, which has quietly grown to infect over 40,000 devices across 88 countries by early 2024.

The primary target of this campaign appears to be small home and small office routers, which are often overlooked when it comes to security updates. Unlike desktop and server computing, where automatic updates are the norm, many IoT devices lack this crucial feature. This oversight leaves them vulnerable to exploitation by cybercriminals.

One of the key findings of the investigation is the emergence of a malicious proxy service called Faceless, which offers anonymity services to cybercriminals for a minimal fee. By routing their traffic through compromised devices, malicious actors can conceal their true origins, making it difficult for law enforcement to track their activities.

According to Jason Soroko, a cybersecurity expert, routers and networking equipment with weak passwords have long been easy targets for cyber attacks. However, what sets this campaign apart is the use of proxy networks to obfuscate command-and-control (C2) traffic, indicating a new level of sophistication among cybercriminals.

The Mechanism Behind The Threat

The malware responsible for these attacks is distributed through a botnet orchestrated by TheMoon. It targets vulnerable EoL routers and IoT devices, infecting them with a loader that fetches an executable file from a C2 server. This file includes a worm module that spreads to other vulnerable devices, as well as a component used to proxy traffic to the internet on behalf of the attacker.

Global Impact: Financial Sector Under Siege

Despite a majority of infected hosts being located in the U.S., the threat extends globally, with devices in 88 countries falling victim to the campaign. The financial sector, in particular, is a prime target for password spraying and data exfiltration attacks, posing significant risks to organisations worldwide.

Recommendations for Defenders

Network defenders are urged to remain vigilant against attacks on weak credentials and suspicious login attempts. Additionally, experts recommend implementing measures to protect cloud assets from communicating with malicious bots and blocking indicators of compromise (IoCs) with web application firewalls.

The advent of this new cyber threat calls for regular security updates and proper maintenance of IoT devices, especially those nearing the end of their lifecycle. Failure to address these vulnerabilities could have far-reaching consequences, as cybercriminals continue to exploit them for financial gain.




Read more »
Routers Threat
Business Network Cyber Attacks cyber threat CyberCrime ESET Routers Routers Threat

A Corporate Secret is not Destroyed, it's Discarded: Threat of Old Routers

 



Many business network environments probably experience the process of removing a defunct router from a rack and accommodating a shiny refurbished replacement now and then. The fate of the disposed router should be as significant, if not more so, as the smooth transition and delivery of the upgraded kit into the rack. The truth is, however, that this is not always the case. 

Home and business security are threatened by security issues stemming from vulnerabilities in routers. These threats can extend beyond email compromises to security breaches in physical homes. However, despite this, people rarely consider security as a concern when using their devices. According to research, approximately 73% of Internet users never consider upgrading their router or securing their system. Therefore, it can be considered one of the major threats to the Internet of Things.

It surprised the ESET research team that in many cases, previously used configurations had not been wiped away when they purchased a few used routers to setup a test environment, causing them to be shocked upon realizing the data on the routers could be used as a source of identification along with the network configurations of the prior owners. 

The researchers purchased 18 used routers made by three popular vendors: Cisco, Fortinet, and Juniper Networks, in a variety of models. Nine of them were found exactly the way their owners left them, fully accessible. Only five of the remaining ones had been properly wiped by their owners. One of the devices was encrypted, one was dead, and the other was a mirror copy of an encrypted device.  

All nine devices left uncovered appear to contain credentials for the organization's VPN. They also contained credentials for another secure network communication service, or hashed passwords for root administrators of the organization. The identifying data included in all of them was sufficient to identify the previous owner or operator of the router. In addition, it enabled router identification.  

Data gathered from these devices could be used to launch cyberattacks – including customer data, router-to-router authentication keys, list of applications, and several other things, if this data is put into the wrong hands. An attacker could have gained access to a company's digital assets by gaining the initial access necessary to research where they are located and what they might be worth. 

An Internet router serves as the hub of an entire home network. This is where all elements of a smart home are connected to the Internet and share information between them. 

When an attacker infects a router, he or she gains access to the network by which data packets are transmitted. This is the network through which the router operates. By doing this, they can install malicious software on the victims' computers, allowing them to steal sensitive data, private photos, and business files. This is potentially irreparable damage to them as a result of this maneuver. Using the infected router, the attacker can redirect users to phishing websites that look exactly like popular webmail and online banking sites. 

KELA Cybercrime Prevention, a cybercrime prevention company that specializes in cybercrime prevention technologies, has found that the average price for access credentials to corporate networks at the time of the initial unauthorized intrusion is $2,800. This price is based on KELA Cybercrime Prevention research. Considering that a used router purchased for a few hundred dollars could provide a cybercriminal with a significant return on investment, a cybercriminal could purchase a used router for a few hundred dollars out of pocket and use it immediately to access the network with little effort. It is assumed that they will simply strip off the access data and sell it on the dark web instead of launching a full-scale cyberattack themselves, although that may very well be the case. 

As a result of the findings of the ESET researchers, organizations may believe that they are conducting business responsibly by contracting with a device-management firm outside their own. 

Those in the e-waste disposal business, or even device-sanitization services that promise to wipe large volumes of corporate devices for resale can be counted on to take care of that for you. 

On the other hand, it may be that these third parties are not performing whatever they claim in practice. Considering that mainstream routers come with encryption and other security features, more organizations might benefit from them to mitigate the negative impacts of fallout should devices that have not been wiped end up roaming the world with no security features. 

Ensure that your router is protected from cybercriminals' attacks by following these steps:

  • There are risks associated with buying second-hand smart appliances. Previous owners of such products may have modified the alarm system firmware so that a remote attacker can collect all the data.
  • It is very important that you change the default password of your account. You should choose a complex password and change it regularly.
  • On social networks, you should not share serial numbers, IP addresses, or other sensitive information concerning your smart devices. 
Read more »
Routers
360 Netlab Cisco CVE vulnerability Cyber Security HTTP Attacks RCE Flaw Routers

Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



Read more »
Routers
360 Netlab Amazon C2C CPU vulnerabilities CVE vulnerability Cyberattacks DDOS Attacks DVR IP Address Mirai botnet Routers

The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


Read more »
Web Servers
DDOS Attacks Hybrid Botnet malware Routers Web Servers

New Hybrid Enemybot Malware Targets Routers, Web Servers

 

A recently discovered DDoS botnet is enslaving multiple router models and various types of web servers by abusing known vulnerabilities, researchers at Fortinet Labs warned. 

Dubbed Enemybot, the botnet has been linked to the cybercrime group named Keksec which specializes in DDoS attacks and cryptocurrency mining and has been linked to multiple botnets such as Simps, Ryuk, and, Samel. 

The malware is the result of combining and modifying the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 –and the infamous Mirai botnet, with the latest version using the scanner module and a bot killer module. 

Enemybot employs multiple obfuscation methodologies meant not only to prevent analysis, but also to keep it concealed from other botnets, and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands. 

The new botnet also attempts to exploit a wide range of devices and architectures by using known combinations of usernames and passwords, running shell commands on Android devices with a compromised Android Debug Bridge port (5555), and targeting roughly 20 known router vulnerabilities.

The most recent of the targeted security loopholes is CVE-2022-27226, a remote code execution issue that impacts iRZ mobile routers, and which was made public on March 19, 2022. Enemybot, Fortinet points out, is the first botnet to target devices from this vendor. 

Enemybot also targets the now infamous Apache Log4j remote code execution vulnerabilities disclosed last year (CVE-2021-44228 and CVE-2021-45046), as well as a couple of path traversal issues in the Apache HTTP server (CVE-2021-41773 and CVE-2021-42013). 

The botnet also attempts to abuse security loopholes in TOTOLINK routers and Seowon routers, as well as older vulnerabilities in ThinkPHP, D-Link routers, NETGEAR products, Zhone routers, and ZyXEL devices. 

Once a flaw has been successfully abused, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

After successful exploitation, the malware links to its C&C server and waits for further instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks. 

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for crypto mining is a big possibility,” Fortinet notes.
Read more »
WiFi
Asus ASUS Routers attacks Botnet Cyber Attacks Cyclops Blink Routers Russia UK VPN WiFi

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."
Read more »
Universal Plug and Play
attacks Cyber Attacks Malicious Campaign Mallicious URLs Proxy Server Routers Security Silent Attacks Universal Plug and Play

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.
Read more »
Vulnerabilities and Exploits
Customer Passwords Data hack Flaws Routers Sensitive data Sky Routers Vulnerabilities and Exploits

Sky: Major Security Flaw on 6M Routers Left Customers Vulnerable to Hackers

 

A "serious" security vulnerability impacting over six million Sky routers exposed customers to hackers for more than 17 months, as per the analysts. 

According to internet security firm Pen Test Partners, users of Sky routers were vulnerable to hacks and online attacks for well over a year as a result of the security vulnerability. If they hadn't updated the router's default admin password, hackers could have accessed Sky router customers' passwords and personal information. The following Sky devices were impacted: 
  • Sky Hub 3 (ER110) 
  • Sky Hub 3.5 (ER115) 
  • Booster 3 (EE120) 
  • Sky Hub (SR101) 
  • Sky Hub 4 (SR203) 
  • Booster 4 (SE210) 
However, these last two devices came with a randomly generated admin password, making it more complex for a hacker to attack. Furthermore, around 1% of Sky's routers are not manufactured by the firm. Customers who have one of these can now request a replacement at no cost. 

The software flaw discovered by Pen Test Partners researcher Raf Fini stated that flaw would have allowed a hacker to modify a home router merely by directing the user to a malicious website through a phishing email. 

Pen Test Partner's Ken Munro told BBC News that they could then "take over someone's online life," obtaining passwords for banking and other services. Although there was no proof that the vulnerability had been exploited, he added that the time it took to patch it was perplexing. 

"While the coronavirus pandemic put many internet service providers under pressure, as people moved to working from home, taking well over a year to fix an easily exploited security flaw simply isn't acceptable," he said. 

The Sky was warned about the problem in May 2020, according to Pen Test Partners. Sky acknowledged the issue, but it wasn't until October 2021 that Sky announced 99 percent of all impacted routers had been updated. In response to the security issues, Sky informed ITV News that they began working on a solution as soon as they got notified of the situation. 

A Sky spokesperson stated, "We can confirm that a fix has been delivered to all Sky-manufactured products.”
Read more »
Vulnerabilities
Cyber Security Routers Sensitive data Threat actors Vulnerabilities

InHand Networks Routers Could Expose Many Organizations to Remote Attacks

 

Researchers uncovered many major vulnerabilities in InHand Networks industrial routers that might expose numerous enterprises to remote attacks, and no patches appear to be available. Researchers from industrial cybersecurity firm OTORIO identified the issues in IR615 LTE routers made by industrial IoT solutions supplier InHand Networks over a year ago. The company has offices in China, the United States, and Germany, and its products are sold worldwide. Siemens, GE Healthcare, Coca-Cola, Philips Healthcare, and other large corporations are among InHand's customers, according to the company. 

OTORIO researchers detected 13 vulnerabilities in the IR615 router, according to a report issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA). The list contains high-severity improper authorization and cross-site scripting (XSS) vulnerabilities, as well as critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues. 

Cisco also addressed dozens of vulnerabilities in its IOS software in 2020, including a dozen security vulnerabilities affecting its industrial routers and switches. Cisco released its semi-annual security advisory bundle for IOS and IOS XE software. The warnings included 25 vulnerabilities that were classified as critical or high severity. Hundreds of other advisories for high- and medium-severity problems affecting IOS and other software were also published by the firm. 

Coming back to InHand Networks, CISA warned that threat actors might use the flaws to gain complete control of the devices and intercept communications in order to acquire sensitive data. 

Thousands of internet-exposed InHand routers have been discovered as vulnerable to assaults, according to OTORIO, however, exploitation via the internet requires authorization to the router's web management portal. An attacker might use default credentials to enter into the device or use brute-force assaults to obtain login credentials. The router's weak password policy and a vulnerability that can be used to enumerate all valid user accounts facilitate brute-force assaults.

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, a penetration tester at OTORIO.

“The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”
Read more »
Vulnerability and Exploits
Microsoft Netgear Routers Vulnerability and Exploits

Microsoft Unveils Vulnerabilities in Netgear Routers

 

Increasing safety measures led attackers to explore different ways to breach systems. The increasing number of firewall and ransomware attacks employing VPN devices and other websites are instances of attacks initiated externally and underneath the operating system layer. As these sorts of attacks are becoming more widespread, consumers must also aim to maintain single-use software, running their hardware, such as routers. 

In Netgear routers, Microsoft has revealed several vulnerabilities that might lead to data disclosure and complete system compromise. Whereas on June 30, 2021, Jonathan Bar Or, a member of Microsoft's 365 Defender Research Team revealed, that the vulnerabilities that have been patched before public release. 

“We discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint. We noticed a very odd behavior: a device owned by non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port. The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario,” told Microsoft. 

After observing odd behavior on the router management port, the Microsoft Security team uncovered vulnerabilities. While TLS encryption protects the communication, machine learning models are still identified as anomalous. 

Three HTTPd authentication issues have been identified upon further research on the router firmware. The first one enabled the team to visit any website on a device, including those that need to be authenticated, such as router administration pages, by inserting GET variables to substrate requests, which allows full bypass authentication. The second security flaw allowed side-channel attacks. If used, attackers may obtain stored credentials. Lastly, the third vulnerability used the former authentication bypass bug, which could decode and remotely retrieve the router's restore configuration file encoded using the "NtgrBak," constant key which allows attackers to decrypt and gain stored data. 

The Microsoft Security Vulnerability Research (MSVR) initiative made Netgear knowledgeable of security concerns discreetly. Netgear has patched the firmware vulnerabilities by issuing a security alert exposing the safety deficiencies in December. The bugs were assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365, and CVSS gravity ratings from 7.1 to 9.4 were issued.

Furthermore, Netgear notifies that its customers must use Netgear Support, type in its model number into a search box, and get the latest firmware version, to install the latest firmware accessible to their routers. Updates can also be accessed using Netgear applications.
Read more »
Zero Day Attack
Cisco CVE Routers Vulnerabilities and Exploits Zero Day Attack

Cisco's Routers. Switches and IP Equipment Suffer Zero-Day Attacks! Major Vulnerabilities Discovered!


The extremely well-known Cisco’s products, including IP Phones, Routers, cameras, and switches, were determined to have several severe “zero-day” vulnerabilities by researchers in the “Cisco Discovery Protocol (CDP)”, per sources.

CDP is a proprietary “Layer 2” network protocol that is put into effect in all the Cisco devices to be privy to the mechanisms of the devices.

Reports mention that a total of five vulnerabilities were ascertained out of which, four were “Remote Code Execution” (RCE) that let hackers or any other cyber-con to manipulate every single operation of the devices without any sort of consent of the user.

According to sources, one of the vulnerabilities led to a “Denial of Service” in the Cisco FXOS, NX-OS and IOS XR software that ended up damaging the victims’ networks

By exploiting the vulnerabilities effectively, numerous organizations’ and companies’ networks were smashed, costing all the affected parties heavily.

Per legitimate sources, following is the list of all the vulnerable devices in the represented categories:

Switches
• Nexus 1000 Virtual Edge
• Nexus 1000V Switch
• Nexus 3000 Series Switches
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 560 Routers
• MDS 9000 Series Multilayer Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821-EX
• Wireless IP Phone 8821
• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series

IP Cameras
• Video Surveillance 8000 Series IP Cameras

Routers
• IOS XRv 9000 Router
• Carrier Routing System (CRS)
• ASR 9000 Series Aggregation Services Routers
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• White box routers running Cisco IOS XR

The exploitation of the other four Remote Execution vulnerabilities could be in a way that a “maliciously” fabricated “CDP Packet” could be sent on the targeted Cisco devices and have their mechanisms altered.

There’s a vulnerability that could be hunted down or traced by (CVE-2020-3119). It helps the attackers to completely override the default switch and network infrastructure settings.

One of the vulnerabilities which could be traced as (CVE-2020- 3118), could help attackers gain control of the target’s router via remote code execution and use it in any harmful way they find acceptable.

Cisco’s 800 series IP cameras were vulnerable to attackers’ remote code execution. The vulnerability could be located as (CVE-2020-3110)

According to sources, in the other Cisco “Voice over IP Phone” vulnerability, an overflow in the parsing function could be exploited to access “code execution”. This vulnerability could be traced to (CVE-2020-311).

The troubles this vulnerability could cause an organization are manifold.
Acquiring access to other devices via “man-in-the-middle” attacks.
Damaging the network’s structure
“Data Exfiltration”, ranging from network traffic to sensitive information and personal phone calls, by the help of manipulated routers and switches.

Per reports, Cisco has come up with patches and the users are directed to employ them without any further delay.
[CVE-2020-3111
CVE-2020-3118
CVE-2020-3120
CVE-2020-3110
CVE-2020-3119]


Read more »
Subscribe to: Posts (Atom)