Posts

Hackers planing ahead

/0 Comments/in /by

Hackers moved one step closer to launching full-scale DDoS attacks using millions of IoT devices herded into the botnet known as Reaper or IOTroop.

Researchers at NewSky Security warn that hackers are swapping scripts on forums that can scan the internet for vulnerable IoT devices and dump default or weak credentials from them.

“This is an important next step for hackers who have taken the concept of an attack and turned it into the foundation of a real one,” said Ankit Anubhav, principal security researcher at NewSky Security.

Anubhav’s investigation led him to an underground forum where a pair of hackers demonstrated a script that exploited a vulnerability in a China-built wireless camera resold by many vendors.

“(The hackers) have scripts related to a weaponized CVE-2017-8225 exploit along with screenshots of the script in action,” Anubhav wrote in a blog post explaining his research.

NewSky Security’s research adds to Check Point’s previous IOTroop research published last week that warned the botnet (and corresponding malware) was recruiting a global army of connected devices.

In its report, Check Point warned that one million IoT devices were already infected with IOTroop malware and 60 percent of corporate networks contained a device vulnerable to one of several vulnerabilities exploitable by adversaries behind the malware. NewSky Security said attackers have moved beyond recruiting bots and are actively developing attack scripts.

The IOTroop malware targets poorly protected connected devices such as routers and wireless IP cameras manufactured by D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, Synology and GoAhead. But because IOTroop doesn’t just exploit default credentials to compromise devices, as did Mirai, it has the potential to do more damage exploiting nearly a dozen vulnerabilities.

Last year, a Mirai botnet attack flooded DNS provider Dyn causing several well-known websites to go dark for hours.

In his investigation Anubhav said he reviewed two IOTroop scripts made available by hackers including one that exploited CVE-2017–8225, a known bypass authentication vulnerability affecting the wireless IP cameras.

“The first script uses a Shodan query to dump all IP addresses that are devices vulnerable to CVE-2017–8225 by using a known Shodan dork (query),” NewSKy wrote in its report. “Now once all vulnerable IPs are collected, the second script uses CVE-2017–8225 to dump credentials for these devices.”

“This combination will help script kiddies to take control over a variety of IoT devices without worrying about two important questions: where (to find devices, which can be hacked) and how (to hack these devices),” the report said.

It was also observed that although the thread in hacking forums started first with scripts which will reveal compromised IOT credentials, it soon shifted toward development of a fully functional botnet which can be propagated. The attackers discussed their inability to perform WGET command, and replaced it with a functional netcat to perform a reverse shell. This was also observed in devices infected by IOTroop by both Check Point and NewSky researchers.

The one piece missing is scale. According to Anubhav, 117,055 devices are vulnerable to CVE-2017-8225. To effectively reach those devices, hackers needed access to Shodan Premium to scale the recruitment and to weaponize vulnerable IoT devices.

“We noted the exploit author asking for Shodan credentials, and claiming that if he can get access to Shodan Premium, he will set up a botnet for any purpose,” the researcher said. “Soon we observed that a fellow attacker agreed to share his Shodan credentials with the attacker if it will help him form the botnet. Here onward the thread goes silent. No questions asked, no updates.”

Anubhav said, while the CVE-2017-8225 vulnerability was already known, using the Shodan search engine to find vulnerable devices lowers the bar for an attack.

“A huge number of devices vulnerable via CVE-2017-8225 were simply visible in Shodan, just waiting to be attacked. Without any security or patch, they are now vulnerable to become part of the IoTroop botnet,” Anubhav said.

The identity of the hackers behind the scripts are unknown. According to Anubhav, the two have a number of different aliases and use accounts that trace back to several countries scattered around the globe making it impossible to determine a country of origin.

Microsoft patches critical Windows DNS client vulnerabilities

/0 Comments/in /by

Three critical Windows DNS client vulnerabilities were patched today by Microsoft, closing off an avenue where an attacker could relatively simply respond to DNS queries with malicious code and gain arbitrary code execution on Windows clients or Windows Server installations.

The flaws were discovered and privately disclosed to Microsoft by researcher Nick Freeman at Bishop Fox. An attacker on the local network or in a man-in-the-middle position could insert a malicious payload into a DNS response to a Windows machine’s DNS request and trigger the vulnerability.

Windows admins are advised to patch immediately; the bug affects Windows 8 and Windows 10 clients, and Windows Server 2012 and 2016. Bishop Fox said it is not aware of any public attacks using this vulnerability.

“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.

The bug, CVE-2017-11779, traces back to the introduction of DNSSEC in the Microsoft operating system starting with Windows 8 via the DNSAPI.dll library. A DNS Resource Record called NSEC3 handled by the Nsec3_RecordRead function is at the core of the bug because it unsafely parses NSEC3 resource records, Freeman said. Users are at risk regardless of their interaction with the client or server since DNS requests can be made silently by background processes looking up IP addresses, or more noisily via browsing, email applications or streaming music services, for example.

Bishop Fox reasoned in its report that the introduction of DNSSEC into Windows was done in part to reduce the risk posed by the plaintext nature of the protocol making it vulnerable to man-in-the-middle attacks. The NSEC3 vulnerability arrived with DNSSEC.

“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

There are slight upsides to the bug, Freeman said.

“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”

However, attackers exploiting the three heap overflow bugs can elevate privileges on a Windows machine, have access to any sensitive data stored locally or run code on the client or server. Since the Nsec3_RecordRead function fails to parse resource records in a secure way, multiple out-of-bounds writes may result, Freeman said.

“The responsible DNSAPI DLL is commonly used by the DnsCache service which runs under svchost.exe as the NT AUTHORITY\NETWORK SERVICE user, and provides the DNS caching service for the DNS client on Windows systems,” Freeman wrote. “It’s also imported by other applications for making DNS queries.”

This bug is especially risky for enterprises because of its potential impact on Windows servers!