Wednesday , October 28 2020

Critical bugs in dozens of Zyxel and Lilin IoT models under active exploit, Ars Technica

      INTERNET OF PWNS –

             

DDoS botnets abuse IoT flaws to conscript vulnerable devices. Are yours patched?

      

      

           

Multiple attack groups are exploiting the Lilin DVR vulnerability to conscript them into DDoS botnets known as (FBot ), (Chalubo) , and Moobot , researchers from security firm Qihoo said on Friday . The latter two botnets are spinoffs of Mirai, the botnet that used hundreds of thousand of IoT devices to bombard sites with record-setting amounts of junk traffic .

The DVR vulnerability stems from three flaws that allow attacksers to remotely inject malicious commands into the device. The bugs are: (1) hard-coded login credentials present in the device, (2) command-injection flaws, and (3) arbitrary file reading weaknesses. The injected parameters affect the device capabilities for file transfer protocol, network time protocol, and the update mechanism for network time protocol.

sometime in late last August, Qihoo

researchers started seeing attackers exploit the NTP update vector to infect devices with Chalubo . In January, the researchers saw attackers exploit the FTP and NTP flaws to spread FBot. That same month, Qihoo 728 reported the flaws to Lilin. Seven days after that, the researchers detected Moobot spreading through the use of the FTP vulnerability. Lilin fixed the flaws in mid-February with the release of firmware 2.0b 145 _ . The CVE designation used to track vulnerability is unknown.

Qihoo the report came a day after researchers from security firm Palo Alto Networks reported that a recently fixed vulnerability in network attached storage devices from Zyxel was also under active exploit . Attackers were using the exploits to install yet another Mirai variant known as Mukashi, which was recently discovered. The pre-authentication command-injection flaw made it possible to execute commands on the devices. From there, the attackers were able to take over devices that used easily guessable passwords. The critical vulnerability received a severity rating of 9.8 out of a possible because of the ease in exploiting it. A Zyxel advisory

products that were affected by the vulnerability, which is tracked as CVE – . A patch the manufacturer released fixed many of the devices, but 10 models were no longer supported. Zyxel recommended these unsupported devices no longer be directly connected to the Internet.

Lilin or Zyxel users affected by either of these vulnerabilities should install patches, when available for their devices. Devices that can’t be patched should be replaced with new ones. It’s also smart to place the devices — and as many as possible other IoT devices — behind network firewalls to make hacks harder. Operators frequently like the convenience of accessing these devices remotely, which makes locking them down harder. The well-earned reputation of IoT devices as buggy, insecure devices suggests that leaving IoT devices exposed to outside connections can put networks — and indeed the entire Internet — at risk.

                                                    

About admin

Check Also

PGP keys, software security, and much more threatened by new SHA1 exploit, Ars Technica

PGP keys, software security, and much more threatened by new SHA1 exploit, Ars Technica

BEATING A DEAD HORSE — Behold: the world's first known chosen-prefix collision of widely used hash function. Dan Goodin - Jan 7, 2020 2:45 pm UTC Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world’s first known instance of a fatal exploit known as a "collision" on…

Leave a Reply

Your email address will not be published. Required fields are marked *