CyberSec Researchers Reveal 2 Million Devices Vulnerable as Botnet Launch Pad

Firmware security firm Eclypsium and Synopsys Cybersecurity Research Center (CyRC) released reports last week of global hardware flaws and multiple API holes discovered in a call center software suite.

The separate reports follow news from F-Secure that 150 different HP multifunction printer (MFP) products are rife with security vulnerabilities. With HP estimated at 40% of the hardware peripherals market, many companies across the world are likely using vulnerable devices, according to F-Secure.

Latvia-based MikroTik, a provider of wireless routers and ISP devices since 1996, has more than two million devices deployed worldwide. These devices are powerful. Eclypsium research published on December 9 shows that they are also often very vulnerable.

The CyRC revealed on December 7 that the weak Application Programming Interface (API) router can be exploited remotely to read system parameters without authentication. It may also allow arbitrary code execution for any authenticated user via unrestricted file download. The affected software leaves employees and customers vulnerable to stolen passwords, phishing emails and other data stolen from the server.

The Eclypsium blog promotes the report

MikroTik devices are a favorite among threat actors who have commandeered the devices for everything from DDoS attacks, command and control (aka “C2”), traffic tunneling, and more, according to MikroTik research d ‘Eclypsium titled ‘When Bees Become Murderous Hornets’, which forms the basis of the report.

Some of the research sheds light on this problem. The report maps the vendor’s attack surface, then provides researchers and security teams with tools they can use to find vulnerable and already compromised devices.

Since such a large percentage of these devices have been in a vulnerable state for many years, researchers also decided to leverage the same tactics, techniques, and procedures (TTPs) that attackers use. This helped to find out if a given device might already be compromised and determine whether it is patched or not.

The report examines 1) why these devices are being targeted, 2) known threats and capabilities, 3) mapping attack surfaces in the wild, and 4) what enterprise security teams can do about it.

Main target MikroTik

The increase in users working from home presents attackers with a host of easily detectable vulnerable devices that can provide attackers with easy access to employee home devices and corporate resources.

“Indeed, the perimeter has as many holes as a honeycomb has hexagons,” according to the report. “Threat actors have the tools to find vulnerable MikroTik devices that many companies don’t.”

Researchers have found that MikroTik devices are prone to vulnerabilities. They often come with default credentials of admin/blank passwords. Even devices intended for enterprise environments come with no default settings for the WAN port.

MikroTik’s auto-upgrade feature is rarely enabled. Many devices are simply never updated. They have a complex configuration interface, so users can easily make risky mistakes.

Researchers have found thousands of vulnerable and easily detectable end-of-life devices on the Internet, some over a decade old. Collectively, attackers have plenty of opportunities to take full control of very powerful devices. They can target devices behind the LAN port as well as on the Internet.

How to mitigate vulnerable devices

Eclypsium customers can use its network device scanner to identify MikroTik devices. This process uses HTTP and UPnP responses from devices up to the specific version.

The platform also provides automated scanning of MikroTik devices to identify vulnerabilities and threats. This will locate devices that need upgrades or fixes.

MikroTik customers without Eclypsium can download a free MikroTik Assessment Tool. This tool will check MikroTik devices to see if a scheduler script exists or if the device contains the critical vulnerability CVE-2018-14847.

MikroTik has released information about the hardening of its devices. It includes a response to the Meris botnet, along with instructions for securing MikroTik devices and identifying and resolving any compromises.

Serious software flaw

The CyRC Vulnerability Advisory reported the discovery of several vulnerabilities in the GOautodial call center software suite.

GOautodial, which claims to have 50,000 call center users worldwide, is open source and free to download. It is also available as a paid cloud service from several providers.

Discovered vulnerabilities can be remotely exploited to read system parameters without authentication and allow arbitrary code execution for any authenticated user via unrestricted file download.

“The good news is that unless the GOautodial system is directly exposed to the internet – which seems unlikely – an attacker would have to gain access to the network first to exploit either of these vulnerabilities,” said said Scott Tolley, sales engineer for the Synopsys research team. , told TechNewsWorld.

There are confirmed incidents of damage due to MikroTik vulnerabilities, confirmed Scott Scheferman, senior cyber strategist at Eclypsium.

The power of a botnet like this is evident in this example he provided.

“Yandex Layer 7 DDOS attack recorded about 22 million RPS (requests per second). Even at a conservative level of 100 requests per second, the 287,000 vulnerable devices (vulnerable to Winbox), if used in such a DDoS attack, would result in ~28 million RPS, which is very close to the ~22 million RPS observed during the Meris Yandex DDoS attack.

Two key vulnerabilities

The first issue — CVE-2021-43 Synopsys Cybersecurity Research Center (CyRC)175: Broken Authentication — falls under category A01 Broken Access Control on the OWASP Top 10 list. With this vulnerability, any attacker with access to the internal network hosting GOautodial could steal sensitive configuration data.

The stolen data may include default GOautodial server passwords. Attackers would not need credentials such as a username or password to connect to other related systems on the network, such as phones or VoIP services.

The second issue – CVE-2021-43176: include local files with path traversal – allows any authenticated user at any level, including contact center employees, to achieve remote code execution . This would allow them to have full control over the GOautodial application on the server.

Attackers could steal the data of all co-workers and customers and even rewrite the application to introduce malicious behavior such as stealing passwords or spoofing communications. Spoofing is sending messages or emails that appear to be from someone else.

Affected Software

Versions of the GOautodial API at or before the b951651 commit on September 27 appear to be vulnerable. This includes the latest publicly available ISO installer GOautodial-4-x86_64-Final-20191010-0150.iso.

Both vulnerabilities were fixed on October 20 from commit 15a40bc.

GOautodial users can fix the vulnerabilities by upgrading to the latest version available on GitHub. This is advised by the GOaudodial team, according to Tolley.

Users must be motivated to upgrade because the implications for GOautodial server integrity are severe, Tolley warned.

“Any authenticated user, such as a regular call center employee, can take control of the entire server-side application. In addition to the insider threat, any attacker who takes control of a single regular user account could take advantage,” he said.

It’s also possible to steal default passwords and other sensitive configuration data without any valid credentials, he added.

Source link