fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Botnet Targets Network Security Devices With Critical Exploits

New Botnet Targets Network Security Devices With Critical Exploits

Authors of a new botnet are targeting connected devices affected by critical-level vulnerabilities, some of them impacting network security devices.

The attacks are still active and use publicly available exploits, sometimes only a few hours after being published. Exploit code for at least ten vulnerabilities has been leveraged so far, the latest being added over the weekend.

Exploiting old and recent bugs

Successfully compromised devices end up with a variant of the Mirai botnet malware specific to the architecture of the device.

In mid-February, security researchers at Palo Alto Networks’ Unit 42 discovered attacks from this botnet and started to track its activity.

It took about a month for the botnet operator to integrate exploits for ten vulnerabilities, many of them critical, for various targets.

Among them is VisualDoor, the exploit for a remote command injection vulnerability in SonicWall SSL-VPN devices that the maker says they fixed years ago.

There are more recent exploits leveraged in these attacks, like CVE-2021-22502, a remote code execution bug in the Micro Focus Operation Bridge Reporter (OBR) product from Vertica.

OBR uses big data technology to create performance reports based on data from other enterprise software.

Two other critical-severity vulnerabilities exploited in attacks from the operator of this Mirai-based botnet are CVE-2021-27561 and CVE-2021-27562 affecting Yealink Device Management.

Also Read: What Does A Data Protection Officer Do? 5 Main Things

The flaws were reported through the SSD Secure Disclosure program by independent security researchers Pierre Kim and Alexandre Torres. Technical analysis is available here.

They stem from user-provided data not being properly filtered and allow an unauthenticated attacker to run arbitrary commands on the server with root permission.

Unit 42 researchers say that three of the vulnerabilities the attackers exploit have yet to be identified as the targets remain unknown. Below is a list of the flaws leveraged in these attacks:

IDVulnerabilityDescriptionSeverity
1VisualDoorSonicWall SSL-VPN Remote Command Injection Vulnerabilitycritical severity
2CVE-2020-25506D-Link DNS-320 Firewall Remote Command Execution Vulnerabilitycritical severity, 9.8/10
3CVE-2021-27561 and CVE-2021-27562Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerabilitycritical severity
4CVE-2021-22502Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40critical severity, 9.8/10
5CVE-2019-19356Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerabilityhigh severity, 7.5/10
6CVE-2020-26919Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerabilitycritical severity, 9.8/10
7UnidentifiedRemote Command Execution Vulnerability Against an Unknown TargetUnknown
8UnidentifiedRemote Command Execution Vulnerability Against an Unknown TargetUnknown
9Unknown VulnerabilityVulnerability Used by Moobot in the Past, Although the Exact Target is Still UnknownUnknown

Also Read: The DNC Registry Singapore: 5 Things You Must Know

After successfully comprising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware:

  • lolol.sh: downloads and runs architecture-specific “dark” binaries; it also schedules a job to rerun the script and creates traffic rules that blocks incoming connections over common ports for SSH, HTTP, telnet
  • install.sh: installs the ‘zmap’ network-scanner, downloads GoLang and the files for running brute-force attacks on IPs discovered by ‘zmap’
  • nbrute.[arch]: binary for brute-force attacks
  • combo.txt: a text file with credentials to be used in brute-force attacks
  • dark.[arch]: Mirai-based binary used for propagation via exploits or brute-forcing

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us