now browsing by tag
A newly discovered variant of the Gafgyt Internet of Things (IoT) botnet is attempting to infect connected devices, specifically small office and home wireless routers from brands that include Zyxel, Huawei, and Realtek.
Gafgyt was first detected in 2014. Since then, it has become known for large-scale distributed denial-of-service attacks, and its many variants have grown to target a range of businesses across industries. Starting in 2016, researchers with Unit 42 (formerly Zingbox security research) noticed wireless routers are among the most common IoT devices in all organizations and prime targets for IoT botnets.
When a botnet strikes, it can degrade the production network and reputation of a company’s IP addresses. Botnets gain access to connected devices by using exploits instead of attempting to log in via unsecured services. As a result, a botnet can more easily spread through IoT devices even if a business’s admins have disabled unsecured services and use strong login credentials.
The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek’s RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.
“Gafgyt was developed off JenX botnet code, which just highlights how much interest there is when it comes to building botnets within that community,” says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. This evolution of Gafgyt indicates a dedicated group of people is working to update these botnets and make them more dangerous, she notes. Most of the time when a botnet is updated, it typically means a new CVE has been added to its lineup.
“The difference with this one is the developers added a new vulnerability to it that wasn’t present in the previous one,” Miller-Osborn says. “That added to its potential reach.” Shodan scans indicate at least 32,000 Wi-Fi routers are potentially vulnerable to these exploits.
Gafgyt uses three “scanners” in an attempt to exploit known remote code execution bugs in the aforementioned routers. These scanners replace the typical “dictionary” attacks employed by other IoT botnets, which typically aim to breach connected devices through unsecured services.
The exploits are designed to work as binary droppers, which pull a corresponding binary from a malicious server depending on the type of device it’s trying to infect. The new Gafgyt variant is capable of conducting different types of DoS attacks at the same time, depending on the commands it receives from the command-and-control server, Unit 42 researchers say in a blog post on the findings.
Gafgyt Sets Sights on Gamers
One of the DoS attacks this Gafgyt variant can perform is VSE, which contains a payload to attack game servers running the Valve Source Engine. This is the engine that runs games like Half-Life, Team Fortress 2, and others. Researchers emphasize this isn’t an attack on Valve, as anyone can run a server for the games on their own network. This attack targets the servers.
With the rest of the DoS attack methods, operators are targeting other servers hosting popular games such as Fortnite, Unit 42 found. Miller-Osborn says the purpose in targeting gaming servers is mostly to be an annoyance. “They’re not going to make a lot of money doing it,” she adds.
While gaming servers have become popular victims, the diversity of IoT devices targeted in these attacks has grown, researchers say. These is nothing about these routers that makes them more likely to be owned by gamers; home users and small businesses are also at risk.
“Once they’re compromised, they’re used to do malicious activity,” Miller-Osborn explains. “The routers themselves could be owned by anyone. The biggest thing, especially with all these IoT malware families, is for people to keep in mind this is probably just going to get worse.”
An attack on gaming servers is one thing, she says. It’s typically a DoS incident and people aren’t getting hurt. However, if an attacker can effectively compromise a router, they can also move into the network and conduct more nefarious activity — for example, data theft.
These attacks highlight the fact that there are a lot of devices, especially routers, active on the Internet and vulnerable to a number of CVEs. The new Gafgyt variant, for example, targets two router vulnerabilities from 2017 and one from 2014, Miller-Osborn points out. “When it comes to routers, you don’t necessarily see them getting patched,” she notes. Outside the security community, few people will know when they should update their routers or if they’ve been hit by a botnet — unless, of course, their Internet service provider tells them.
Instagram: New Botnet Market
Cybercriminals are also finding new ways to sell botnets, researchers report. Once an activity limited to the Dark Web, the buying and selling of malware has surfaced to social networks.
In one attack analyzed, the new Gafgyt variant looks for competing botnets on the same device and tries to kill them. It does this by looking for certain keywords and binary names present in other IoT botnet variants. Researchers noticed some strings related to other IoT botnets (Mirai, Hakai, Miori, Satori) and some corresponded to Instagram usernames. The team built some fake profiles and reached out, only to find they’re selling botnets in their Instagram profiles.
Attackers offered the researchers source code for botnets. Unit 42 has contacted Instagram to report these profiles; it also reported malicious sites being used to handle botnet subscriptions. It’s “pretty common” for these sales to happen on social media, says Miller-Osborn, and a constant fight for social networks to take down malicious accounts.
“People want to market their devices and services, and one of the easiest ways to do that is on social media,” she explains. While it makes things simple for attackers, removing the accounts is “a constant game of whack-a-mole” for social media companies.
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio
View full post on National Cyber Security
Google researchers found seven severe security flaws in the open-source DNS software package Dnsmasq. The flaws put a huge number of devices at risk of being hacked. Google researchers disclosed seven serious flaws in an open-source DNS software package Dnsmasq, which is is commonly preinstalled on routers, servers, smartphones, IoT…
The post Severe flaws in DNS app create hacking risk for routers, smartphones, computers, IoT appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.
An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that
The post An unpatched vulnerability exposes Netgear routers to hacking appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex with the increase in the skills of attackers and so, has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service (DDoS) attack known as ‘Amplification Attack’, leveraging the weakness in the UDP protocols. One of the commonly used by hacker is (Domain Name System) DNS Reflection Denial of Service (DrDoS).The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target and the target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the malicious sources.
MILLIONS OF HIJACKED-ROUTERS AIDING DrDoS ATTACKSThe new research carried out by DNS providers Nominum, provides ISPs with DNS based analytics and monetization solutions, revealed that the DNS-based DDoS amplification attacks have significantly increased in the recent months and hackers are using home as well as small office routers to amplify the bandwidth.The report claimed that more than 24 million home routers, majority of which (800,000 routers) located in the UK are vulnerable to various firmware flaws, that allow hackers to gain unauthorised access and modifying DNS (Domain Name Server) settings.
In a previous report, we also disclosed that more than 200,000 Algerian TP-LINK Routers are vulnerable to Hackers, allowing them to hijack DNS requests.
This could be exposing ISPs and their users to participate in the massive Internet DNS-based Distributed Denial of Service (DDoS) attacks unknowingly.
In February alone, more than five million home routers were used to generate DDoS attack traffic, and in January, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification.The impact on Internet service providers (ISPs) is four times because amplification attacks generates malicious traffic that not only consume bandwidth, but also cause support costs and impact the reputation of the ISPs, Nominum said.“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” explained Sanjay Kapoor, CMO and SVP of Strategy, Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies.”“ISPs today need more effective protections built-in to DNS servers. Modern DNS servers can precisely target attack traffic without impacting any legitimate DNS traffic. ThreatAvert combined with ‘best in class’ GIX portfolio overcomes gaps in DDoS defenses, enabling ISPs to constantly adapt as attackers change their exploits, and precision policies surgically remove malicious traffic.”The main reason of the increase in the popularity of DNS amplification or DrDoS attacks is that it requires little skills and efforts to cause major damage. The high attack bandwidth is made possible only as the attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.“Because vulnerable home routers mask the target of an attack it is difficult for ISPs to determine the ultimate destination and recipient of huge waves of amplified traffic,” said Nominum.The DDoS techniques have massively increased with the attackers becoming more skillful at working around the network security. A Year back, a massive 300Gbps DDoS attack launched against Spamhaus website that almost broke the Internet. Also earlier this year, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.At the beginning of last month, the US-CERT also issued an alert warning, listed certain UDP protocols identified as potential attack vectors for Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP ,CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.
Users are recommended to change the default username and password of their routers and ensure that you have updated router firmware installed with security patches. You router should be accessible only from the local network or LAN.
The post Millions of Vulnerable Routers aiding Massive DNS Amplification DDoS Attacks appeared first on Am I Hacker Proof.
View full post on Am I Hacker Proof