Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New Linux Worm Attacks IoT Devices
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Webtoolsoffers
Webtoolsoffers,
User Rank: Apprentice
6/28/2019 | 4:31:00 AM
Re: Linux Worm Exploits and Defenses
The IoT devices related to the internet. Now-a-day IoT devices is most useful because we can get information through mobile interenet
tdsan
tdsan,
User Rank: Ninja
6/27/2019 | 2:52:55 PM
Linux Worm Exploits and Defenses
The new software, dubbed "Silex," is running across the Internet looking for Linux systems deployed with default admin credentials. Once it finds such a system, it overwrites all of the system's storage with random data, drops its firewall rules, removes its network configuration, and then restarts the system — effectively rendering the device useless.

I do agree the responsibility should rest with the consumer where the system asks or provides insight on how to change the admin password but this should be a mandatory function (to change the password and remove telnet or disable it) when the user logs in. A number of companies are doing this but after reading the report, it seems this practice is not performed across the board.

 
It could attack any Linux system deployed on the Internet with open telnet ports and default admin credentials.

Ways to thwart the linux attack:
  • iptables -I INPUT 1 -m multiport --dport 23 -s 0.0.0.0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DROP (the code can be updated to include more ports (-m option), conntrack tracks the attempts and the --ctstate looks for NEW, ESTABLISHED and Relates sessions, the -J is used to drop the connection)
  • ufw deny in -proto tcp from 0.0.0.0/0 to 0.0.0.0/0 port 23 "comment Deny telnet access" or a shorter method is ufw deny in telnet.
  • Firewall - disable telnet from the IOT device or only allow internal access when needed if telnet is essential to diagnostic issues
  • Another option would be to stop the service all together
service stop telnet-server or systemctl stop telnet-server

 

Shodan provides a complete list of devices that still have default passwords enabled.

 Todd

 
<<   <   Page 2 / 2


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45045
PUBLISHED: 2022-12-01
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker...
CVE-2022-45640
PUBLISHED: 2022-12-01
Tenda Tenda AC6V1.0 V15.03.05.19 is affected by buffer overflow. Causes a denial of service (local).
CVE-2022-40489
PUBLISHED: 2022-12-01
ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.
CVE-2022-40849
PUBLISHED: 2022-12-01
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's P...
CVE-2022-44262
PUBLISHED: 2022-12-01
ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).