InfectedSlurs Helps Mirai Botnet to Resurface

The InfectedSlurs Botnet has strong ties to the infamous Mirai malware, specifically the older JenX Mirai variant. Mirai gained notoriety for recruiting Internet of Things (IoT) devices through unconventional methods, including the use of games like Grand Theft Auto. The Mirai code’s unchanged nature, evident in a side-by-side comparison of the April 2023 variant and the October 2023 campaign, suggests a lack of significant modifications.

Why are InfectedSlurs Attacks Unique?

The Akamai SIRT, utilizing its global network of honeypots, detected a surge in activity. It was targeting a seldom-used TCP port in late October 2023. Intriguingly, the attack began with a low frequency, escalating to a peak of 20 attempts per day before tapering off to an average of two to three attempts. The initial targets remained unidentified until November 9, 2023.

The attackers employed a unique approach, initiating an authentication attempt via a POST request. They followed by a command injection exploitation upon success. Through meticulous investigation, a specific HTTP exploit path and targeted port were identified. Initial confusion arose from an internet slang-rooted Server header in the HTTP response, initially leading to suspicions of a honeypot or prank.

Botnet Targets

Further analysis revealed that the exploited devices belonged to a specific niche: real-time streaming protocol (RTSP) enabled devices, particularly CCTV/NVR/DVR/security cameras. The attack exploited a zero-day vulnerability in NVR devices manufactured by a yet-unnamed company. Remarkably, default administrative credentials, commonly documented by the manufacturer, were utilized in the attack.

Simultaneously, a second zero-day exploit surfaced, affecting outlet-based wireless LAN routers designed for hotel and residential applications. The vendor, also unnamed, plans to release details in December 2023. With both vendors working on patches, the community is urged to remain vigilant.

Reacting to activity

The InfectedSlurs Botnet underscores the significance of proactive cybersecurity measures. The deployment of honeypots, as demonstrated by the Akamai SIRT, offers crucial insights into evolving threats.

• Organizations are reminded of the importance of changing default passwords and staying informed about emerging cyber threats to bolster their defenses against sophisticated attacks.
• We recommend that SOAR and SIEM systems be used to detect, stop, and block any further cyberattack attempts within the entire environment.
• Policies such as zero-trust can prevent exploitation by identifying and blocking attacks that use even well-known and trusted software.
• Installing patches regularly is crucial in ensuring your system’s security, as it contains fixes for known vulnerabilities. Neglecting this step renders any further advice ineffective.

The post InfectedSlurs Botnet Exploits Zero-Days to Spread Mirai Malware appeared first on Gridinsoft Blog.

Massive jump in attacks on IoT infrastructure

According to the study, the number of IoT devices is growing, and obviously, the number of attacks grows along them. In the last six months alone, attacks on IoT devices have increased 400% year-to-year. Such a colossal figure, isn’t it? Although these devices were created for our convenience, cybercriminals think otherwise. The IoT, a vast network of interconnected devices, permeates our daily lives. However, if something has firmware that can be updated – sooner or later, cybercriminals will find a way to use it for their dirty deeds.

Additionally, research shows that cybercriminals commonly target vulnerabilities that have been around for more than three years. Their target is obvious: creating vast botnets from infected devices. As for malware families, about 66% are backdoors – ones that support botnet creation. For example, the leader is the Mirai botnet, with a 45.9% share. The next one is Gafgyt, which accounts for 20.3% of all infected devices. The main scenario of using such botnets is organizing DDoS attacks against enterprises. Oftentimes, hackers offer their DDoS power for sale on the Darknet – and such a service retains high demand over the years.

Manufacturing Is The Most Targeted Industry

Today, the manufacturing sector is nearly triple the rate of other industries in terms of unique IoT devices. This dramatic growth indicates the industry’s desire to adopt advanced automation and digitization. As this “digitalization” involves adding smart sensors and devices, it expands the attack surface. Not surprisingly, the manufacturing sector receives more than three times as many attacks as any other sector in an average week, accounting for 54.5% of malware attacks.

The problem is that some IoT devices are built for ease of use and accessibility rather than security. This means they may have security vulnerabilities that attackers can exploit. Attacks on OT infrastructure can cause significant disruptions to critical industrial operations, disrupt critical OT processes, and, in some cases, even threaten lives. These are primarily the automotive, heavy manufacturing, plastics, and rubber industries.

Which Countries are at IoT Malware Risk?

According to the report, the U.S., Mexico, Brazil, and Colombia are the most commonly targeted countries. While 96% of IoT malware spreads from compromised IoT devices in the U.S., three of the four most affected countries are in Latin America. This abundance of infected devices in the States is because the U.S. has a high level of IoT integration. In addition to regular users, these devices are connected to critical infrastructure or enterprises. This motivation makes cybercriminals attempt to profit by compromising them.

Latin American countries are particularly vulnerable to IoT malware attacks. For example, Mexico accounts for 46% of all infections. This is due to relatively low levels of cybersecurity awareness and preparedness, as well as proximity to the U.S. The education sector has recently become a prime target for cybercriminals. It’s related to the widespread use of unsecured and shadow IoT devices in school networks. These devices give attackers more accessible access points to sensitive personal data stored on educational institutions’ networks. As a result, the rate of cyber attacks in this sector has increased by a staggering 961%, just shy of 1,000%. That’s not a good sign and demands immediate attention to protect the privacy and security of students, faculty, and staff.

How to Protect Against IoT Malware?

While there is no perfect defense, there are preventative measures that can help avoid most of these problems. The following recommendations will reduce the risk of device compromise:

• Train employees on IoT device security. Forewarned is forearmed. Because humans are the weakest link in the line of defense, training employees in cybersecurity is an effective measure.
• Use a zero-trust policy. A zero-trust philosophy eliminates any cybersecurity cronyism. This means that all devices and users are considered untrusted by default. Any unauthorized shadow IoT devices will be blocked from corporate data by proxy.
• Maintain comprehensive visibility into IoT devices. Keeping your IoT devices secure is essential to knowing all devices connected to your network and what they’re doing, including unmanaged ones. The best way to do this is to use solutions that analyze network logs, which can help you monitor communications and activity.
• Use multi-factor authentication. It adds another one layer of security by requiring users to enter a secondary mode of verification in addition to their password. This can prevent attackers from accessing user accounts if credentials are obtained, stopping lateral threat movement from compromised user devices.

The post IoT Malware Attacks Grow by 400% in 2023 appeared first on Gridinsoft Blog.

The research by a broadband Internet provider Konnect showed that more than 4 million Brits possess the experience of hacking their neighbors’ wireless routers to reduce their expenses.

About 2000 respondents took part in the research, which showed that one hacker, on average, used their neighbors’ Internet without permission for 52 days. However, more than 20 people used another person’s Internet connection for the entire year.

Using one’s neighbor’s Internet connection is called “Piggybacking.” According to the provider’s statistics, around 35% of the respondents have used their neighbors’ connections without notifying them. Moreover, Konnect has learned that many people visit McDonald’s and other public places with the purpose of downloading movies, games, and TV shows.

Only 1% of the hackers consider these doings wrong. Most of the survey participants have confessed they hacked their neighbors’ routers by guessing passwords or using help from Youtube videos or their knowledgeable friends.

We remind all our readers about the necessity of having strong passwords on all their Internet-of-Things devices. IoT devices have a connection to the network and their own interface, just like WiFi routers. Consider reading this article on WiFi routers vulnerabilities and make sure yours is well-protected.

The post WiFi-Hacking by Neighbours is Rampant in the UK, Research Says appeared first on Gridinsoft Blog.

On June 17, QNAP, the Taiwanese hardware manufacturer, warned its customers about ransomware attacks targeting the company’s NAS (network-connected storage) devices. Following attacks in January, March, and May, the DeadBolt ransomware is an impending problem for QNAP devices again.

QNAP advises all users to update operating systems to their latest versions and follow network safety rules: to keep NASs disconnected from the global Internet, use VPN, strong passwords, 2-factor authentication, and secure ports. Outdated services and operating systems must be excluded from usage.

In the case DeadBolt manages to infiltrate, QNAP suggests updating the system to the latest version for an embedded malware removal tool to quarantine the ransom note that obstructs the login page.

DeadBolt is highly automatized ransomware that infects systems through the exploitation of QTS and QuTS hero operating systems vulnerabilities. Ransomware operators use AES-128 encrypting. They don’t go for a big game, compensating the small ransom amount with the number of victims.

DeadBolt facilitates payments and decoding with a special user interface for instant decryption via key input. The malefactors allow paying 0.3 bitcoins (around $1,160) for a NAS individual client’s data decryption, five bitcoins (around $193,000) for vulnerability information hint yielded to the attacked company, or 50 bitcoins (over $1 million) for a master key to decrypt all data on the targeted servers. However, researchers at Trend Micro believe, based on their analysis of the ransomware code, that the master key would not work. Therefore, it is more of a hit-or-miss option for DeadBolt operators.

DeadBolt and ransomware alike target NASs like those of QNAP for two reasons. Firstly, the security of those devices is relatively low. Secondly, harvesting smaller payments from many clients of the storage-owning company is more beneficial than hunting for a big fish. Moreover, crooks can sell data they get their hands on, which is a totally different profit channel.

The post QNAP Warns Clients About DeadBolt Ransomware Attacks appeared first on Gridinsoft Blog.

This feature allows organizations to improve performance and even serve customers. Organizations that want to protect the transmission of their data and the device through which it happens must understand IoT cybersecurity, as most attacks are aimed at that. According to the calculations of attacks aimed at IoT devices, statistics are growing significantly every year and should consider this situation and how to counteract it. In this article, we will analyze the smallest but most common number of attacks that can cause significant damage to devices and users’ data.

Types of IoT Cyber Security Attacks

1. Physical Attacks

These attacks are propagated intentionally by attackers to discover, modify, steal, destroy, and gain unauthorized access to infrastructure, physical assets, firewall, or equipment. The most common physical attacks can be considered:

• Zero-day attacks: This sub-type of attack targets security vulnerabilities. the vulnerability that the attacker is looking for should be made public, after which the elimination of an attack on such an unknown vulnerability is almost impossible. Therefore, zero-day is considered that the consequences of this attack are sad.
• Eavesdropping attacks: The intruders here are aimed at stealing confidential data through an attack on communication channels that are used only by certain individuals and companies for the exchange of information.
• Data Injection attacks: These attacks are embedded through commands and malicious codes of control systems that are poorly protected.
• Replay attacks: In this case, the attack occurs through an authenticated data packet modified by malicious instructions. Packets are sent to electronic equipment that does not know what is in those packets, namely, a disguised malicious packet under a completely legitimate data packet.

2. Encryption Attacks

An attacker can intercept data, modify, install their algorithms and gain control over your device if the user’s IoT device is not encrypted. In this regard, encryption should not be forgotten, as it is necessary in the IoT environment.

3. DdoS (Denial of Service)

DdoS attacks target system resources, aimed at distributing malware, through the host of the machine, and also at getting a denial of service. In another case, DdoS can shut down the system, that is, intercept a session in order to implement a different type of attack into it. Types of DdoS:

• TCP SYN flood attack: A buffer space is used to propagate this type of attack, through which a large number of connection requests are hacked , half of which creates a target system queue, and because of it a failure in the system.
• Teardrop attack: The failure of this attack is due to such a chain of actions: when the attack starts, there is an offset of Internet protocol fragmentation, the system tries to resist it, but cannot.
• Smurf attack: This type of attack uses IP spoofing and ICMP.
• Ping of death attack: Here the attacker uses IP-packages “ping”. The attacker fragments the IP packet and the target system is unable to assemble the packets because the buffer is full and it fails.

4. Firmware Hijacking

This attack involves the attacker capturing the device, after which the installation of malware on the user’s device. To avoid this, you should always check the firmware updates of IoT to avoid this risk. Firmware is the core, the core of your device, which is common software. Functions can be considered data exchange with software installed on your computer.

5. Botnets

A botnet attack starts remotely with a large number of bots on the IoT device. This happens remotely and under the control of the intruder, who is focused on either disabling the user’s device or transferring or selling the user’s data to a dark network. This attack is a big problem today, as it affects a huge number of devices around the world.

6. Man-in-the-Middle

Here the attacker works between, in the middle. Now we’ll sort out what it means. Now, a hacker intercepts communications between two sources, thereby deceiving one of these recipients to receive a legitimate message. Two users are deceived by the attacker and begin to act blindly, not realizing that the messages that come to them are fake. These messages might look like this: an email indicates that something has happened to your bank account, which is why you should log in to the system to fix the problem, and invites you to go to a fake site where you are already waiting for an attacker to collect your credentials.

7. Ransomware

Ransomware attack is a type of malware that targets you and your data. This happens by blocking your data through encryption. For the user to get the decryption key, the user is asked to pay it, and often not a small amount.

8. Eavesdropping

This attack targets sensitive data by intercepting network traffic and weakening the connection between the server and IoT devices. Then through data interception, digital listening, or analog communication, eavesdropping occurs.

9. Privilege Escalation

An attacker attempts to access resources through IoT device vulnerabilities, often protected by a user profile or an application. But bypassing all the security systems, the hacker is trying to spread malware Po or steal confidential data.

10. Brute Force Password Attack

This type of attack is a rough way to steal confidential user data. This attack occurs through software that can generate many password combinations that the attacker distributes to a certain number of users. Next, all simple accounts protected by a weak password fall under this attack. This allows the attacker to take confidential data, distribute malware, and create everything he needs.

The post 10 Types of Cyber Security Attacks in IoT appeared first on Gridinsoft Blog.

The flaw affects Linux firmware used in various routers, hotspots, and other IoT devices. It also hits Linux distributives for the embedded operating systems like Embedded Gentoo and OpenWRT. The vulnerability reveals itself in many different devices. For example, Linksys, Netgear, and Axis all use uClibc libraries. Since the vulnerability is not yet cured in uClibc and uClibc-ng, the details about specific devices and manufacturers in whose products the problem occurs are not brought to the public yet.

The vulnerability mechanism

The vulnerability comes from the usage of predictable transaction identifiers in the library-generated DNS requests. DNS request IDs are formed by simple incrementing of the counter without any additional randomization of the port numbers. This mechanism, in turn, allowed DNS cache poisoning through the proactive sending of a UDP packet with a forged response. The spoof will be accepted if it features a correct request ID and arrives before the genuine server’s response. Unlike the Kaminsky method proposed in 2008, the current approach doesn’t even require guesswork since the transaction ID is initially predictable. The initial value (1) gets incremented with each query, not chosen randomly.

Security recommendations against ID breaking include randomizing numbers of source network ports whence the DNS request. This measure must compensate for the short length of the identifier. If randomization is activated, the forgery of a 16-bit ID is not enough – hackers then would have to additionally brute-force the network port number. In uClibc and uClibc-ng, the random source UDP port didn’t show during the bind request. Therefore, the randomizer was turned off, and its application required changing settings in the operating system.

With the randomization switched off, the problem of guessing an incremented request ID becomes trivial. But even if the randomization were applied, the attackers would only need to pick up a port number from a range of 32768–60999 (Linux uses such.) They could have used a massive simultaneous sending of fake responses to different network ports yet to win against the legitimate DNS response.

History of the inquiry

The problem has been confirmed in all working versions of the uClibc and uClibc-ng, including the latest uClibc 0.9.33.2 and uClibc-ng 1.0.40. In September 2021, the information on the vulnerability was sent to CERT/CC for coordinated fixes preparation. Moreover, In January 2022, the data was delivered to more than 200 manufacturers working with CERT/CC. In March, there was communication with the uClibc-ng project support. They admitted they could not fix the vulnerability themselves and recommended disclosing the information to the community so that it could assist with the development of the fix. Nozomi Networks, the company that detected the flaw, brought the information to the public in a thorough report on May 2, 2022. In the meantime, Netgear has announced an update wherein they promise to deal with the vulnerability.

The post A DNS vulnerability in uClibc/uClibs-ng libraries jeopardizes IoT devices appeared first on Gridinsoft Blog.