Let me remind you that we also talked about ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Information security specialists disclosed details of five vulnerabilities in D-Link routers.

Information security specialists have not written about MooBot activity for a long time: the last study was dated last December, when MooBot took advantage of the CVE-2021-36260 vulnerability in Hikvision cameras, infecting these devices and using them for DDoS attacks.

As it turned out now, MooBot recently changed its “field of activity”, which is generally typical for botnets that are constantly looking for new pools of vulnerable devices that they can take over. So, according to a recent report by Palo Alto Network, malware is currently targeting the following critical vulnerabilities in D-Link devices:

1. CVE-2015-2051: D-Link HNAP SOAPAction command execution issue.
2. CVE-2018-6530: RCE in D-Link SOAP interface;
3. CVE-2022-26258: remote command execution on D-Link devices;
4. CVE-2022-28958: Remote command execution on D-Link devices.

It is worth noting that the manufacturer released patches to fix these problems a long time ago, since two vulnerabilities were generally subsidized in 2015 and 2018. However, not all users have applied these patches yet, especially the last two, which were released in March and May of this year.

Malware operators exploit vulnerabilities to achieve remote code execution on vulnerable devices and launch a malicious binary using arbitrary commands.

The captured routers are then used to carry out DDoS attacks against various targets, depending on what the MooBot operators want to achieve. As a rule, attackers rent out the power of their botnet to other criminals, so a variety of sites and services suffer from MooBot attacks.

Interestingly, the C&C addresses provided in the Palo Alto Network report are different from those in Fortinet’s December report, indicating an upgrade in the hackers’ infrastructure.

Experts write that users of compromised D-Link devices may notice a drop in Internet speed, freezes, router overheating, or changes in DNS configuration. The best way to protect against MooBot is to apply all available firmware updates.

IoC Mirai Botnet

• Malware.U.Mirai.tr: 96b087abf05bb6c2c1dd6a1c9da460d57564cc66473ca011f85971752a112ce1
• Malware.U.Mirai.bot: 52a9207498821af8cffc629b19c18dc40b7512a56b13c8b32db6bdc009e0a422
• Malware.U.Mirai.bot: 5397ccdd490dc61f64a07968c283d21b76f87ad4c58cd19481f215fdf6aeeaa1
• Malware.U.Mirai.bot: 624f4966636968f487627b6c0f047e25b870c69040d3fb7c5fb4b79771931830
• Malware.U.Mirai.bot: 9936b597954aa7e1e7ef82c09bc3c039a239c3cd77ff7af5a079064138c467b0
• Malware.U.Mirai.bot: de883fb217df507b1acb5bbe637d5e8d19ac989b9e78242f7c22bae58c0f408c
• Malware.U.Mirai.bot: 78b477ae2bbaf19cf180aad168da4c84354140762ac33903bc40124be8d055da
• Malware.U.Mirai.bot: 613f03b52910acb8e25491ca0bfe7d27065221c180e25d16e7457e4647a73291
• Malware.U.Mirai.bot: 22f269a866c96f1eec488b0b3aebe9f8024ae455255a4062e6a5e031dfd16533

The post MooBot Botnet Attacks D-Link Routers appeared first on Gridinsoft Blog.

Among discovered by researchers problems were: reflected XSS attacks; a buffer overflow to find out the administrator’s credentials; bypass authentication; arbitrary code execution. Basically, anyone with access to the device’s admin page can perform the listed attacks without even knowing the credentials.

“Fortunately, in most cases, to gain access to the admin interface, an attacker must be on the same network as the router (for example, it could be a connection to a public access point or a single internal network)”, – say Loginsoft experts.

The situation is seriously complicated by opportunity of remote connection to the router: then the attacker will only need to make a request for the router’s IP address, bypass authentication, and take control of the device and the network. According to the search engine Shodan, more than 55,000 D-Link devices currently can be remotely accessed.

D-Link specialists have already published a list of all devices vulnerable to five new problems. Some of these bugs were reported back in February 2020, while Loginsoft’s research, according to the company, was conducted in March.

At the same time, the company does not specify what will be DAP-1522 and DIR-816L devices, for which support and release of updates have already been discontinued. These routers running firmware 1.42 (and later) and 12.06.B09 (and later) remain vulnerable and there is no way to patch them.

However, for another old model, DAP-1520, D-Link made an exception and released a beta version of the patch (1.10b04Beta02).

It all reminded about curious story about vulnerabilities in D-Link products, when for 8 years Cereals IoT botnet used one of the vulnerabilities in D-Link’s NAS and NVR to… download anime.

List of disclosed vulnerabilities:

• CVE-2020-15892: DAP 1520: Buffer overflow in the `ssi` binary, leading to arbitrary command execution.
• CVE-2020-15893: DIR-816L: Command injection vulnerability in the UPnP via a crafted M-SEARCH packet
• CVE-2020-15894: DIR-816L: Exposed administration function, allowing unauthorized access to the few sensitive information.
• CVE-2020-15895: DIR-816L: Reflected XSS vulnerability due to an unescaped value on the device configuration
• CVE-2020-15896: DAP-1522: Exposed administration function, allowing unauthorized access to the few sensitive information.

The post Information security specialists disclosed details of five vulnerabilities in D-Link routers appeared first on Gridinsoft Blog.

All this time, Cereals exploited only one vulnerability and attacked D-Link’s NAS and NVR, combining them into a botnet.

For many years, the botnet has eluded the attention of information security professionals, and now it has almost ceased to exist.

“The fact is that the vulnerable D-Link devices on which Cereals parasitized began to become obsolete and out of order, that is, they are becoming smaller and smaller. In addition, the ransomware Cr1ptT0r accelerated the decay of the botnet, which destroyed the competing malware on infected devices and removed the Cereals malware from many D-Link devices in the winter of 2019”, — say Forcepoint researchers.

Now, as the botnet and the vulnerable devices that it has exploited are disappearing, Forcepoint experts decided to publish a report on the activities of the malware, because they can no longer be afraid that the study will draw the attention of other criminals to vulnerable devices and provoke the emergence of new botnets.

Experts write that Cereals can be called a unique phenomenon, since the botnet used only one vulnerability throughout all eight years of its “life”.

This vulnerability was related to the SMS notification feature that was present in the D-Link NAS and NVR firmware. The bug allowed the creator of Cereals to send malicious HTTP requests to the embedded servers of vulnerable devices and execute commands with root privileges. In this way, the botnet operator infected the devices with its malware.

“The botnet was very advanced in its functionality. Therefore, if the attack succeeded, Cereals supported up to four active backdoors on the devices, tried to patch the attacked devices so that other attackers could not attack them, and distributed bots on 12 small subnets”, – say the researchers.

However, all these efforts, in fact, were a waste of time. Forcepoint analysts believe that Cereals was someone else’s hobby or a project created as a joke (it is assumed that the author of the malware is called Stefan and he lives in Germany).

The fact is that the botnet did not engage in DDoS attacks, did not try to attack any other devices other than the above, did not try to access user data stored on infected devices. Instead, all these years Cereals just methodically downloaded anime.

However, this is the cutest botnet I talked about on this blog – others are mostly not like that, for example, read an article about Hoaxcalls botnet, that attacks Grandstream devices.

The post For eight years, the Cereals botnet existed for only one purpose: it downloaded anime appeared first on Gridinsoft Blog.