Tag Archives: Telnet

Internet of Things malware destroys devices

In early April embedded devices powered by Google Android, Linux and FreeBSD (specifically the BusyBox distribution) mainly used as media players and routers came under attack from a previously unseen form of malware.

How does this malware affect compromised devices?
Once compromised the device will cease functioning within seconds; an attack being called a PDoS (Permanent Denial of Service). This occurs since the malware corrupts the devices internal storage and reduces the number of kernel (defined) threads (sequences of independent in progress tasks) from several thousand to just one, causing the devices in progress tasks/work load to halt. Security firm Radware demonstrated this result with a webcam.

How does this malware initially compromise a device?
Since early April four unique versions of this malware (dubbed BrickerBot) have emerged. The first version attempted to compromise Radware’s test device almost 2,000 times within four days with the attacks originating from all over the world. The second and more advanced version uses Tor (The Onion Router) to enable attacks to take place from the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the attacks almost impossible.

Versions 3 targets further devices while version 4 was active during a very briefly and ceased its activity after 90 attempted attacks. Radware provide more details in their analysis.

The malwares authors seek to gain control of vulnerable devices by attempting to access them over the internet via the Telnet protocol (defined, which uses TCP and UDP ports 23) by entering commonly used usernames and passwords until successful. If your network contains routers or music/media devices using the BusyBox distribution they are potentially vulnerable to this malware. Attackers can use tools such as Shodan (defined) to locate vulnerable devices over the internet and begin an attack.

How can I protect my devices from this malware?
Radware provide five steps you can take to better secure your internet of things (IoT , defined) devices from this malware. They also suggest the use of an IPS (defined) in this related blog post. The above recommendations are especially important since unlike other malware where you can re-format a hard disk and re-install the operating system (defined), this malware permanently damages the device and it will require a replacement.

Thank you.

Linux Routers Potentially Vulnerable To Telnet Worm

In late March ESET security published a blog post detailing how an updated version of an existing malware infection can exploit many consumer broadband routers and wireless access points.

Why Should This Infection Be Considered Important?
If your router becomes infected with this malware it can communicate back to its creator via a command and control (C2) server (defined). Under their control your router can be used for purposes such as a distributed denial of service attack (DDos) attack (defined) among any other action the attackers may choose. An example of a DDoS attack occurring in the past using routers is the subject of this article and this article.

Given that the malware comes to reside on a router by attempting to connect to random IP addresses (defined) that have port 23 open it may only be a matter of time before your router is tested for this open port.

By convention port 23 is used by the now deprecated Telnet (defined) protocol. If your routers firewall (defined) does not block access to this port from external sources the attackers have a favourable opportunity to infect your router since the malware can download various versions customized to the individual CPU architecture used within the router e.g. MIPS, ARM etc. The malware attempts to gain access to your router using a stored list of username and passwords that are commonly used or are used by default by consumer routers. Once access is obtained the malware is downloaded and installed.

How Can I Protect Myself from This Malware?
As discussed in a previous blog post, please follow the recommendations provided by the US-CERT to secure your router. This will involve (among other changes) changing the default username and password of the router (making it much harder for the malware to guess the correct credentials).

Blocking commonly used protocols from being used to access your router (which in this case is the Telnet protocol) using your firewall is explained here. Use of a tool (e.g. Steve Gibson’s ShieldsUP!) to test the effectiveness of your router’s firewall will also provide additional protection against this threat and other threats that may attempt to access your router is discussed here. A guide for using ShieldsUp to do this is here with a video demo here. Scanning your router using Nmap (a more advanced tool) is discussed in this article.

Since many Internet Service Providers (ISPs) block/prevent end-users/consumers from making many changes to their routers, please contact your ISP for advice on how to block port 23 from being accessed externally to protect against the threat discussed in ESET’s blog post.

Thank you.

Juniper Issues Emergency Security Updates For VPN Devices

On the 17th of December Juniper Networks released a security advisory which detailed 2 critical security issues (these have been assigned 2x CVE numbers (defined) within their NetScreen devices which offer VPN (Virtual Private Networks) (defined) access. Juniper have released emergency security updates to address these issues.

Why Should These Issues Be Considered Important?
The first issue assigned CVE-2015-7755 could allow an attacker to remotely access your Juniper VPN device using SSH or telnet. They could do so by accessing your device using either of these protocols. They will then receive a logon prompt however due to this issue they can enter any username and since the password has been publically disclosed they would then obtain access to your device with the highest privileges available. This is an extremely serious backdoor (defined) that an attacker can easily exploit.

The second vulnerability designated CVE-2015-7756 could allow an attacker who can capture your VPN network traffic to decrypt that encrypted traffic and read all of it’s contents. In addition, there is no means of detecting if this second vulnerability has been exploited.

Juniper NetScreen devices using the operating system versions mentioned below have been confirmed to have been affected by these issues:

=======================
The first issue mentioned above (the administrative access issue) affects the following versions of ScreenOS (the operating system that powers these Juniper devices):

ScreenOS 6.3.0r17 through 6.3.0r20
=======================

=======================
The VPN decryption issues affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20
=======================

Finally, there are theories with compelling evidence of how this backdoor code came to be present within Juniper’s products in the first instance. The definitive answer does not appear to be completely clear at this time. If you wish to read more on this aspect of these security issues, please find below further references:

Juniper Finds Backdoor That Decrypts VPN Traffic by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Password Goes Public by Michael Mimoso (Kaspersky ThreatPost)
Juniper Backdoor Picture Getting Clearer by Michael Mimoso (Kaspersky ThreatPost)
On the Juniper backdoor by Matthew Green (John Hopkins University)
Who were the attackers and how did they get in? by Jeremy Kirk (IDG News Service)
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor by H. D. Moore (Rapid7)
“Unauthorised code” on Juniper firewalls gives attackers admin access, decrypts VPN traffic by Graham Cluley (writing on behalf of BitDefender)

How Can I Protect Myself From These Issues?
As directed within Juniper’s security advisory if you are using the affected Juniper devices within your corporation or small business, please apply the necessary updates as soon as possible since these issues are very serious. Download links for these updates are provided within the above mentioned security advisory. Juniper also supplies additional best practice within that advisory.

SNORT IDS/IPS (defined) and Sagan (an open source log analysis engine) rules to detect the first issue (administrative access) being exploited are provided in Rapid7’s blog post. That blog post also contains advice if you are having an issue installing the updates to address these issues.

Thank you.

=======================
Note: I am currently working on more upcoming content for this blog. Since this will be my final post before the 25th of December I wanted to wish you and yours a safe and very Merry Christmas / Happy Holidays. I will return later this week with more blog posts.

Thanks again.