Tag Archives: vulnerability

Cisco issues new, complete fixes for critical flaw in enterprise security appliances

Cisco researchers have identified additional attack vectors and features that are affected by the “perfect 10” remote code execution and denial of service vulnerability they attempted to patch last Tuesday. This discovery also means that the fix they pushed out at the time is incomplete, and administrators now have to update the vulnerable software again. More on CVE-2018-0101 Initially, they thought that the vulnerability (CVE-2018-0101) only affected the webvpn feature of the Cisco Adaptive Security … More ?

View original post here:
Cisco issues new, complete fixes for critical flaw in enterprise security appliances

Dormant Linux kernel vulnerability finally slayed

Just, er, eight years later A recently resolved vulnerability in the Linux kernel that had the potential to allow an attacker to gain privilege escalation or cause denial of service went undiscovered for seven years.…

Originally posted here:
Dormant Linux kernel vulnerability finally slayed

New Mirai Worm Knocks 900K Germans Offline

More than 900,000 customers of German ISP  Deutsche Telekom  (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as  Mirai.  The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts. Security experts say the multi-day outage is a sign of things to come as cyber criminals continue to aggressively scour the Internet of Things (IoT) for vulnerable and poorly-secured routers, Internet-connected cameras and digital video recorders (DVRs). Once enslaved, the IoT devices can be used and rented out for a variety of purposes — from conducting massive denial-of-service attacks capable of knocking large Web sites offline to helping cybercriminals stay anonymous online. This new variant of Mirai builds on malware source code released at the end of September. That leak came a little more a week after a botnet based on Mirai was used in a record-sized attack that caused KrebsOnSecurity to go offline for several days. Since then, dozens of new Mirai botnets have emerged, all competing for a finite pool of vulnerable IoT systems that can be infected. Until this week, all Mirai botnets scanned for the same 60+ factory default usernames and passwords used by millions of IoT devices. But the criminals behind one of the larger Mirai botnets apparently decided to add a new weapon to their arsenal, incorporating exploit code published earlier this month for a security flaw in specific routers made by Zyxel and Speedport. These companies act as original equipment manufacturers (OEMs) that specialize in building DSL modems that ISPs then ship to customers. The vulnerability exists in communications protocols supported by the devices that ISPs can use to remotely manage all of the customer-premises routers on their network. According to BadCyber.com, which first blogged about the emergence of the new Mirai variant, part of the problem is that Deutsche Telekom does not appear to have followed the best practice of blocking the rest of the world from remotely managing these devices as well. “The malware itself is really friendly as it closes the vulnerability once the router is infected,” BadCyber noted. “It performs [a] command which should make the device ‘secure,’ until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.” [For the Geek Factor 5 readership out there, the flaw stems from the way these routers parse incoming traffic destined for Port 7547using communications protocols known as TR-069]. DT has been urging customers who are having trouble to briefly disconnect and then reconnect the routers, a process which wipes the malware from the device’s memory. The devices should then be able to receive a new update from DT that plugs the vulnerability. That is, unless the new Mirai strain gets to them first.  Johannes Ullrich , dean of security research at  The SANS Technology Institute , said this version of Mirai aggressively scans the Internet for new victims, and that SANS’s research has shown vulnerable devices are compromised by the new Mirai variant within five to ten minutes of being plugged into the Internet. Ullrich said the scanning activity conducted by the new Mirai variant is so aggressive that it can create hangups and crashes even for routers that are are not vulnerable to this exploit. “Some of these devices went down because of the sheer number of incoming connections” from the new Mirai variant, Ullrich said. “They were listening on Port 7547 but were not vulnerable to this exploit and were still overloaded with the number of connections to that port.” FEEDING THE CRIME MACHINE Allison Nixon , director of security research at Flashpoint, said this latest Mirai variant appears to be an attempt to feed fresh victims into one of the larger and more established Mirai botnets out there today. Nixon said she suspects this particular botnet is being rented out in discrete chunks to other cybercriminals. Her suspicions are based in part on the fact that the malware phones home to a range of some 256 Internet addresses that for months someone has purchased for the sole purpose of hosting nothing but servers used to control multiple Mirai botnets. “The malware points to some [Internet addresses] that are in ranges which were purchased for the express purpose of running Mirai,” Nixon said. “That range does nothing but run Mirai control servers on it, and they’ve been doing it for a while now. I would say this is probably part of a commercial service because purchasing this much infrastructure is not cheap. And you generally don’t see people doing this for kicks, you see them doing it for money.” Nixon said the criminals behind this new Mirai variant are busy subdividing their botnet — thought to be composed of several hundred thousand hacked IoT devices — among multiple, distinct control servers. This approach, she said, addresses two major concerns among cybercriminals who specialize in building botnets that are resold for use in huge distributed denial of service (DDoS) attacks. The first is that extended DDoS attacks which leverage firepower from more bots than are necessary to take down a target host can cause the crime machine’s overall bot count to dwindle more quickly than the botnet can replenish itself with newly infected IoT devices — greatly diminishing the crime machine’s strength and earning power. “I’ve been watching a lot of chatter in the DDoS community, and one of the topics that frequently comes up is that there are many botnets out there where the people running them don’t know each other, they’ve just purchased time on the botnet and have been assigned specific slots on it,” Nixon said. “Long attacks would end up causing the malware or infected machines to crash, and the attack and would end up killing the botnet if it was overused. Now it looks like someone has architected a response to that concern, knowing that you have to preserve bots as much as you can and not be excessive with the DDoS traffic you’re pushing.” Nixon said dividing the Mirai botnet into smaller sections which each answer to multiple control servers also makes the overall crime machine more resistant to takedown efforts by security firms and researchers. “This is an interesting development because a lot of the response to Mirai lately has been to find a Mirai controller and take it down,” Nixon said. “Right now, the amount of redundant infrastructure these Mirai actors have is pretty significant, and it suggests they’re trying to make their botnets more difficult to take down.” Nixon said she worries that the aggressive Mirai takedown efforts by the security community may soon prompt the crooks to adopt far more sophisticated and resilient methods of keeping their crime machines online. “We have to realize that the takedown option is not going to be there forever with these IoT botnets,” she said. Source: https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/

View article:
New Mirai Worm Knocks 900K Germans Offline

Origin of the beasties: Mirai botnet missing link revealed as DVR player

CCTV cameras? You’ve been looking in the wrong place Security researchers have discovered a “missing link” in the Mirai botnet that may prompt a rethink in what makes up the zombie network.…

Continue reading here:
Origin of the beasties: Mirai botnet missing link revealed as DVR player

How the ‘Internet of unpatchable things’ leads to DDoS attacks

For at least the past year there have been repeated warning to makers of Internet-connected devices about the insecurity of their platforms. Another came today in a report from Akamai Technologies’ threat research team, which has delved into a recent burst of distributed attacks leveraging IoT devices. In this case they are SSHowDowN Proxy attacks using a 12-year old vulnerability in OpenSSH. “We’re entering a very interesting time when it comes to DDoS and other web attacks — ‘The Internet of Unpatchable Things’ so to speak,” Eric Kobrin, Akamai’s director of information security, said in a statement. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.” Akamai emphasizes this isn’t a new vulnerability or attack technique. But it does show a continued weakness in many default configurations of Internet-connected devices. These particular attacks have leveraged video surveillance cameras and digital recorders, satellite antenna equipment, networking devices (including routers, switches, Wi-Fi hotspots and modems) and Internet-connected network attached storage. They are being used to mount attacks on any Internet targets as well as internal networks that host connected devices. Unauthorized SSH tunnels were created and used, despite the fact that the IoT devices were supposedly hardened and do not allow the default web interface user to SSH into the device and execute commands, Akamai said. Then attackers used to conduct a mass-scale HTTP-based credential stuffing campaigns against Akamai customers. It offers this mitigation advice to infosec pros: –if possible configure the SSH passwords or keys on devices and change those to passwords or keys that are different from the vendor defaults; –configure the device’s SSH service on your device and either add “AllowTcpForwarding No” and “no-port-forwarding” and “no-X11-forwarding” to the ~/ssh/authorized_ keys file for all users, or disable SSH entirely via the device’s administration console; –if the device is behind a firewall, consider disabling inbound connections from outside the network to port 22 of any deployed IoT devices, or disabling outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation. Source: http://www.itworldcanada.com/article/how-the-internet-of-unpatchable-things-leads-to-ddos-attacks/387275

Originally posted here:
How the ‘Internet of unpatchable things’ leads to DDoS attacks

Botnet-powered ballot stuffing suspected in 2nd referendum petition

‘Tiny fraction of the overall count’ however A petition for a second EU referendum in the UK has been hit by suspicions of computer automated ballot stuffing, possibly by politically motivated hackers.…

View article:
Botnet-powered ballot stuffing suspected in 2nd referendum petition

Did your UK biz just pay £1,500 to stop a DDoS? You’ve been had

Empty threats from faux hackers doing the rounds again What kind of a grifter pretends he’s going to DDoS you? The kind that easily makes off with a lot of cash, it seems. “Hackers” who have been making empty DDoS threats while posing as the Armada Collective appear to have have moved on.…

Continued here:
Did your UK biz just pay £1,500 to stop a DDoS? You’ve been had