Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/31/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant

Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek.

A newly discovered variant of the Gafgyt Internet of Things (IoT) botnet is attempting to infect connected devices, specifically small office and home wireless routers from brands that include Zyxel, Huawei, and Realtek.

Gafgyt was first detected in 2014. Since then, it has become known for large-scale distributed denial-of-service attacks, and its many variants have grown to target a range of businesses across industries. Starting in 2016, researchers with Unit 42 (formerly Zingbox security research) noticed wireless routers are among the most common IoT devices in all organizations and prime targets for IoT botnets.

When a botnet strikes, it can degrade the production network and reputation of a company's IP addresses. Botnets gain access to connected devices by using exploits instead of attempting to log in via unsecured services. As a result, a botnet can more easily spread through IoT devices even if a business's admins have disabled unsecured services and use strong login credentials.

The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek's RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.

"Gafgyt was developed off JenX botnet code, which just highlights how much interest there is when it comes to building botnets within that community," says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. This evolution of Gafgyt indicates a dedicated group of people is working to update these botnets and make them more dangerous, she notes. Most of the time when a botnet is updated, it typically means a new CVE has been added to its lineup.

"The difference with this one is the developers added a new vulnerability to it that wasn't present in the previous one," Miller-Osborn says. "That added to its potential reach." Shodan scans indicate at least 32,000 Wi-Fi routers are potentially vulnerable to these exploits.

Gafgyt uses three "scanners" in an attempt to exploit known remote code execution bugs in the aforementioned routers. These scanners replace the typical "dictionary" attacks employed by other IoT botnets, which typically aim to breach connected devices through unsecured services.

The exploits are designed to work as binary droppers, which pull a corresponding binary from a malicious server depending on the type of device it's trying to infect. The new Gafgyt variant is capable of conducting different types of DoS attacks at the same time, depending on the commands it receives from the command-and-control server, Unit 42 researchers say in a blog post on the findings.

Gafgyt Sets Sights on Gamers
One of the DoS attacks this Gafgyt variant can perform is VSE, which contains a payload to attack game servers running the Valve Source Engine. This is the engine that runs games like Half-Life, Team Fortress 2, and others. Researchers emphasize this isn't an attack on Valve, as anyone can run a server for the games on their own network. This attack targets the servers. 

With the rest of the DoS attack methods, operators are targeting other servers hosting popular games such as Fortnite, Unit 42 found. Miller-Osborn says the purpose in targeting gaming servers is mostly to be an annoyance. "They're not going to make a lot of money doing it," she adds.

While gaming servers have become popular victims, the diversity of IoT devices targeted in these attacks has grown, researchers say. These is nothing about these routers that makes them more likely to be owned by gamers; home users and small businesses are also at risk.

"Once they're compromised, they're used to do malicious activity," Miller-Osborn explains. "The routers themselves could be owned by anyone. The biggest thing, especially with all these IoT malware families, is for people to keep in mind this is probably just going to get worse."

An attack on gaming servers is one thing, she says. It's typically a DoS incident and people aren't getting hurt. However, if an attacker can effectively compromise a router, they can also move into the network and conduct more nefarious activity — for example, data theft.

These attacks highlight the fact that there are a lot of devices, especially routers, active on the Internet and vulnerable to a number of CVEs. The new Gafgyt variant, for example, targets two router vulnerabilities from 2017 and one from 2014, Miller-Osborn points out. "When it comes to routers, you don't necessarily see them getting patched," she notes. Outside the security community, few people will know when they should update their routers or if they've been hit by a botnet — unless, of course, their Internet service provider tells them.

Instagram: New Botnet Market
Cybercriminals are also finding new ways to sell botnets, researchers report. Once an activity limited to the Dark Web, the buying and selling of malware has surfaced to social networks.

In one attack analyzed, the new Gafgyt variant looks for competing botnets on the same device and tries to kill them. It does this by looking for certain keywords and binary names present in other IoT botnet variants. Researchers noticed some strings related to other IoT botnets (Mirai, Hakai, Miori, Satori) and some corresponded to Instagram usernames. The team built some fake profiles and reached out, only to find they're selling botnets in their Instagram profiles.

(Image: Unit 42)

(Image: Unit 42)

Attackers offered the researchers source code for botnets. Unit 42 has contacted Instagram to report these profiles; it also reported malicious sites being used to handle botnet subscriptions. It's "pretty common" for these sales to happen on social media, says Miller-Osborn, and a constant fight for social networks to take down malicious accounts.

"People want to market their devices and services, and one of the easiest ways to do that is on social media," she explains. While it makes things simple for attackers, removing the accounts is "a constant game of whack-a-mole" for social media companies.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16200
PUBLISHED: 2019-11-20
GNU Serveez through 0.2.2 has an Information Leak. An attacker may send an HTTP POST request to the /cgi-bin/reader URI. The attacker must include a Content-length header with a large positive value that, when represented in 32 bit binary, evaluates to a negative number. The problem exists in the ht...
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.