CyberWire Daily - Opportunistic botnets round up vulnerable routers. [Research Saturday]
Episode Date: July 13, 2019Researchers at Netscout's ASERT Team have been tracking the growth of botnets originating in Egypt and targeting routers in South Africa. The payload is a variant of the Hakai DDoS bot. Richard Hummel... is threat intelligence manager at Netscout, and he joins us to share their findings. The original research is here: https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
One of the things that we track here is a lot of the IoT activity as well as
exploits to various devices. That's Richard Hummel. He's the threat intelligence manager at Netscout.
The research we're discussing today is titled
Real-Tech SDK Exploits on the Rise from Egypt.
The way we do that is through our IoT honeypot.
We have deployments all over the world,
dozens and dozens of these, if not close to the hundreds mark.
And we sit in probably two dozen or more countries.
And basically what they do, there's a couple of things that we do here is one is a passive device.
And this is where we got the bulk of this research. And with these passive devices,
we load up signatures that identify various exploits. So often these are going to be
exploits which have been publicly disclosed, or maybe a
security researcher publishes a POC. We can take that and we can replicate what it's going to look
like across the network. And then we can build those as signatures into our tracking so that
anytime an attacker or a bot attempts to exploit that vulnerability, we'll be able to log it.
And so we'll see that across all of our honeypots around the world. The second factor is we monitor for reflection amplification DDoS related stuff. So those are
two aspects of the honeypot. In this particular case, specifically, we're looking at the exploit
attempts. We're tracking a lot of different exploits. I'm not going to get into actual
numbers there, but for this particular one, we've been tracking it for a long time. We basically
just saw it kind of flatline. We'd see the occasional attempt to exploit this.
And then all of a sudden, starting in April, we saw this massive spike targeting this particular vulnerability, in which case this is CVE-2014-8361.
And it was very significant in that it basically had been flatlined before. So we started looking, well, why is an attacker using a multiple year old vulnerability and
targeting this specifically in this particular region?
And on top of that, from Egypt specifically.
So we started looking around motivations.
We started trying to figure out where the attackers are coming from.
Is there a known botnet?
Is there an increased campaign?
There's still some unanswered questions here where we're not entirely certain the
motivation behind this.
However, this type of activity is pretty common for attackers that are basically adding to
their botnets, basically what we call recruiting.
So they're going out there, they're looking for vulnerable devices.
And it might be that maybe they were sitting on like Shodan, for instance, and they noticed
that there was a bunch of different routers in South Africa that are vulnerable to the CVE so they took advantage of the opportunity.
A lot of times with crime, it is opportunistic in which case they realize there's something
that they can exploit.
It's fairly easy for them to just pull this off the shelf and say, well, I'm going to
go after this because I know there's thousands of these devices in South Africa so let me
just go ahead and compromise those and I can increase my botnet size.
Help me understand how it works with the explosion of what you saw here, the sudden popularity of it.
Is that a result of the nature of botnets itself that when someone discovers a vulnerability,
then it sort of feeds off of itself as they go looking for more devices that are vulnerable to this?
Absolutely. A lot of the IoT bots out there, they do this type of compromise or this scanning
exploitation attempts programmatically. Mirai is a good example. This is kind of the first of its
kind where it will automatically go out and try to find other devices that are vulnerable, whether
that's from brute forcing attempts or various other exploits. The same is the case for any of the IoT malware that has kind of followed after it.
Hakai, actually the DDoS bot that's being distributed here has been around since September.
So even that is something that's older that the attackers are using.
So a lot of these things, a lot of the exploits that you're going to see, a lot of the distribution
capabilities, the propagation, it's all going to be time proven tactics that work for attackers.
So yeah, a new vulnerability becomes available. And next thing you know,
it's being slaved by a bunch of other attackers. And the same is true with various protocols that
become known for DDoS or reflection amplification. Some of these protocols,
Mimcache-D is a really good one, right? There was a proof of concept. And then next thing you know,
we have the largest DDoS attack on record that occurred. And then a month later, we see another one.
So attackers are going to take these and they're going to weaponize those really fast.
In the case of Memcached, within five days of that protocol being available, basically
disclosed, it was included in what we call booters and stressors, which is basically
a paid for service where you can launch DDoS at whoever you want.
And it's relatively cheap to do.
The same is true with a lot of the IoT bots that we see.
Mirai is open source at this point because it's been leaked.
Satori, same sum of the code there as well.
And so attackers can easily take these things.
They can change them to suit their needs.
And then they can start loading up a lot of these different exploit attempts
as they become available.
Or they can pull from a repertoire of past vulnerabilities like this one
back in 2014. So in terms of the flatline that you saw before this took off, so does that flatline
not necessarily reflect that people had been patching or anything like that? It might just
represent that no one was particularly interested in this vulnerability at the time. Could very well
mean that, yes. Considering it's a 2014 vulnerability,
I mean, you have five years to patch, right?
So if devices out there are not being patched
and they're still vulnerable to this CVE,
that's not necessarily on the manufacturer.
That's not necessarily on various end users.
That could be like if it's an enterprise network
or maybe it's a bunch of these routers deployed
in some type of ISP.
Maybe it's like a third-party ISP and they're just deploying old-school routers.
Or maybe they don't know.
Or maybe it is an end user at home.
They don't realize, hey, I need to patch my devices.
I need to change my default usernames and password.
It's pretty common.
So, yeah, it could very well be that this particular CVE just wasn't being weaponized at the time.
And then somebody sees that, hey, I'm going to scan this block of IP addresses in South Africa.
And I have a whole list of maybe routers that came up.
Showdown is really good for this because you can just log in and see,
okay, what kind of devices are available by the internet in a particular region,
a particular country, or maybe I'm looking for a specific brand of router,
in which case they would be able to see that these are there
and know that, hey, this device was previously vulnerable to this CVE.
And then they can just grab it off the shelf and start launching attacks and see if it
works.
So tell me about this router itself.
Is this a consumer device?
What are we talking about here?
It is.
Yep.
So these are consumer-based devices.
And so often, you know, these aren't going to be updated.
I would say that I'm even guilty of not updating my own routers often enough, which, I mean,
it's fairly common, right?
And I'm a cybersecurity professional, so I have no excuse.
The average layperson knows it's difficult, right?
Can I even log in?
Right.
There's an out of sight, out of mind.
And I guess also combined with if it ain't broke, don't fix it.
Exactly.
It's working.
The internet's working according to anybody else using a device.
And if you don't know about security and you don't know that you can log in via your IP
address to your router and change settings, well, to me, I just plug it in.
It provides internet access and that's all I really care about.
Well, I mean, you're going to be vulnerable because you're never going to patch.
So maybe some devices have an auto update or auto patch type thing, but often it requires manual pushing the button. And some
folks just don't do that. And so, like I said, I'm guilty of that on myself on occasion. And it
provides all these devices that are sitting out there on the internet vulnerable to these age-old
vulnerabilities and CVEs that attackers can use to enslave and create bigger botnets.
vulnerabilities and CVEs that attackers can use to enslave and create bigger botnets.
And to be clear here, with this vulnerability, when someone enlists one of these devices to become part of their botnet, the device is still functioning normally. As far as the user's
concerned, they wouldn't necessarily notice anything going wrong.
Not necessarily. At first, I don't think they would notice anything if there was a particular
DDoS attack going and maybe it was saturating the network with traffic.
They might notice some latency. But as far as to their eyes, they're not actually going to see anything malicious when they're browsing the Internet.
The most that they might notice is a little bit of downtime or a little latency as they're trying to connect.
In which case, what's the solution for that? Restart the router, which is the typical thing to do.
And so that might, you know, fix the latency issues at first, and then maybe they'll come
back.
And so that's kind of the reality of these things is like a lot of times users just don't
realize that their device is part of a botnet.
We published some statistics earlier in the year that within five minutes, IoT devices
are being brute forced via telnet attacks.
Within 24 hours, they're getting
exploitation attempts such as this one. At one point, for some of the IoT devices that we brought
online, within 60 seconds, they were getting brute forced by telnet attempts.
Let's dig into some of the technical stuff that's actually going on here. So the bad guys are doing
their scanning. They find a device that's a good possibility for infection. What
exactly is happening behind the scenes? So once they've identified a device that is
potentially vulnerable to this, they'll attempt to exploit it using this known vulnerability.
And that might be just a weaponized piece of code that says, hey, I'm going to exploit this,
or maybe there's a buffer overflow I'm going to get passed. Once they've successfully executed that exploit, the device is essentially compromised. And at that point, they can then deploy their code or
payloads onto that compromised device. In this instance, we saw them distributing the Hakai DDoS
bot. But it doesn't have to be Hakai. It can be really anything because at that point, the
attackers have control over that device, that router, which is then a zombie to them.
And they can issue any command that they want, really, to deploy whatever type of malware they
choose. And they can also deploy different architectures, right? So if the router is
running ARM or if it's running MIPS, they can deploy different types of payloads to complement
those architectures and allow the bots to run in a disparate environment that has a lot of
these different types of devices in it. So in terms of what you're tracking with this,
does it seem as though they are still in that bot building stage? Are they,
they're gathering up the bots and haven't yet done anything yet? Or what's your sense with that?
As far as we can tell, this is very much at the time that we reported this is very much
in the recruitment phase. We hadn't seen any significant DDoS attacks come out of South
Africa where this bot is supposedly being constructed. However, that's not to say that
there isn't. We may not necessarily have visibility on every aspect of the internet there. Our honey
pots are deployed worldwide, but that doesn't necessarily mean we see 100% of the internet.
are deployed worldwide, but that doesn't necessarily mean we see 100% of the internet.
And given our other statistics in what we call Atlas, we also have visibility in approximately a third of the internet traffic around the world. So we do see a lot of the traffic,
but there are still gaps. And it could be that attacks launched from this particular botnet,
maybe they're not significant enough to really put a spike in the grander scale of
the world's DDoS traffic. So we may or may not necessarily see DDoS attacks come from this
botnet if it has been matured and finalized as far as its reach and extent. But yeah,
for this particular activity that we observed, we very much believe it's in the recruitment phase.
Do you have any sense for why they might be
targeting South Africa? Again, we started looking into motivations or possible motivations. Are
there any events in South Africa? Is there political events? Is there geopolitical upheaval?
Are there cross-border tensions? And the reality is we didn't find anything significant that could
tie it to this, which leads me to the conclusion that this is
very much opportunistic. As I said before, they identified a bunch of routers and they figured
this is an opportunity for me to expand. Let's go ahead and do it. And maybe South Africa just
happened to be that conduit for them. How much of this lies with, for example,
the ISP? I mean, if this is a router that's being distributed by an ISP, do they have any
responsibility for pushing out
updates or informing their customers that this is available? I think a lot of ISPs do this already,
and most ISPs have some type of DDoS mitigation in place. I know that Netscout is in pretty much
all of the world's first tier ISPs, many of the second tier. And so by the upstream downstream
nature of these devices being deployed by consumers, they're often protected by DDoS
because they have upstream protection and mitigation by either Netscout or some other
competitor that does DDoS mitigation. So even though we might be establishing this botnet,
and maybe the devices are being successfully compromised, that doesn't necessarily mean that
they're going to be successful in their DDoS attempts. But it does mean that the devices
are still compromised. And I don't know that that is an ISP directive to let their customers know
that they need to fix their stuff. Maybe there's some education that can happen via various venues.
I know that's why security companies like us exist, right? Is to inform consumers and to inform
the world that this is happening and that, hey, even if you are a lay person and maybe you're not in a security
business, or maybe you have no idea how to log into your router, we really want to get this
information to everybody, right? That's why we do these calls, these podcasts, because we want to
inform the world that, hey, this is happening. And it doesn't matter who you are, where you are,
or what your skill level is. There is some level of responsibility for each person to make sure that they're securing
their own devices and networks in their own homes against attacks like this.
So what is your sense of the sophistication of the group we're dealing with here?
Are they custom developing their own stuff or is this off-the-shelf components?
I think by and large, this is going to be mostly off-the-shelf components.
The Hakai DDoS bot has been around for a while. Really, anybody can take it and use it. This
vulnerability has been around for five years. The fact that they maybe found routers via some type
of service like Shodan, that's been around for ages. I don't see anything novel, new,
or sophisticated in this particular campaign. It just looks like your run-of-the-mill
IoT bot attempting to broaden its reach. Now, in terms of the rest of us who are, you know, around the world
looking to defend against these sorts of things, I mean, anything we need to look out for? Any ways
to protect ourselves for the potential inevitable botnet that might spawn from this? Sure. The
biggest thing I could tell you right now, especially with a lot of these after free vulnerabilities, is patch. Most often that when people use responsible disclosure for various CVEs, they often work with the manufacturers and the vendors of particular devices or maybe Microsoft or some other company that the companies will try to get patches available before they disclose the POC or working POC of the vulnerability, in which case organizations paying attention to those
can get their equipment patched, can get their routers patched, so that when the POCs become
available and inevitably attackers start to get those POCs and reverse engineer them to figure
out how to weaponize them, devices are then already patched. The sad part of this is that
there's a lot of people that have a very rigorous process of approving patches.
So even if a patch becomes available, it might be six months before some organizations ever get that patch implemented because they have to go through testing, they have to go through staging,
they have to make sure no systems are going to fall over. And there's a level of acceptable
risk that some organizations take in regards to this. But the reality is,
is that patching is probably your best bet for a lot of these things.
The reality is, is that patching is probably your best bet for a lot of these things.
Our thanks to Richard Hummel from NetScout for joining us.
The research is titled Real Tech SDK Exploits on the Rise from Egypt.
We'll have a link in the show notes. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, The Cyber Wire Research Saturday is proudly produced in Maryland with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, And I'm Dave Bittner.
Thanks for listening.