Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New Linux Worm Attacks IoT Devices
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
User Rank: Ninja
6/30/2019 | 9:02:42 AM
Re: Defaults
That's depressing.
tdsan
tdsan,
User Rank: Ninja
6/29/2019 | 8:34:21 PM
Re: Defaults
RyanSepe
RyanSepe,
User Rank: Ninja
6/29/2019 | 8:16:53 PM
Re: Defaults
Definitely concur here. But obviously there are still those out there who are foolish enough for this to still be effective. :( Its quite sad.
tdsan
tdsan,
User Rank: Ninja
6/28/2019 | 8:46:28 PM
Re: For fun
"the software is purely destructive; it captures no data and asks for no ransom. Researcher Ankit Anubhav traced the malware back to its origins and found the developer, who uses the online name "Light Leafon." " Obviously this was for fun. Distraction is huge.

I am not so sure it was all for fun, I think it was also being used to test its capability for another purpose. Think about this, if the actor could access systems with default passwords, then what about writing a hash algorithm to run a for loop to check for possible password combinations.
  1. Check to see if they can get to the device and apply a default username and password
  2. Create a payload or add a function statement that goes through a list of passwords

I think this is a logical step in their next attempt but again we are theorizing, only time will tell.
import getpass
import sys
import telnetlib
import time

#Getting the user information
user=input("Enter User name: ")
password=getpass.getpass()

#open file
iplist=open("ipfile.txt")

#Loop through IP address and execute commands
for line in  iplist:

 Host=line.strip("\n")    
 print ("Configuring Switch",Host)
 tn = telnetlib.Telnet(Host)    
 tn.read_until(b"Username: ")   
 tn.write(user.encode('ascii') + b"\n")
 tn.read_until(b"Password: ")
 tn.write(password.encode('ascii')+b"\n")
 time.sleep(2)     
 tn.write(b"enable\n")  
 time.sleep(2)
 tn.write(b"admin\n")  
 time.sleep(2)
 tn.write(b"config t\n")
 time.sleep(2)
 tn.write(b"snmp-server community Secured ro\n") 
 print ("Switch ",Host,"Configured")
 line=tn.read_some()
 tn.close()                           
 print (line)                      

#closing file 
ipfile.close()

 Todd
tdsan
tdsan,
User Rank: Ninja
6/28/2019 | 7:40:48 PM
Re: Linux Worm Exploits and Defenses
Yes, I agree, that is why I had mentioned in my excert that the vendor should disable telnet altogether or block it.

In addition, companies like Cisco and Juniper ask the user to change the default password. If the user does not change the password then the system should be halted until they change it based on recommended security guidelines (listed below).

NIST password guidelines - "NIST guidance recommends the following for passwords: An eight character minimum and 64 character maximum length. The ability to use all special characters but no special requirement to use them."
  • An eight character minimum and 64 character maximum length
  • The ability to use all special characters but no special requirement to use them
  • Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
  • Restrict context specific passwords (e.g. the name of the site, etc.)
  • Restrict commonly used passwords (e.g. [email protected], etc.)
  • Restrict passwords obtained from previous breach corpuses
NIST Security Password Guidelines

Todd

 
Dr.T
Dr.T,
User Rank: Ninja
6/28/2019 | 6:47:51 PM
Defaults
It could attack any Linux system deployed on the Internet with open telnet ports and default admin credentials. So it is not supposed to be an attack at all. Who would leave defaults as they are today?
Dr.T
Dr.T,
User Rank: Ninja
6/28/2019 | 6:46:12 PM
Re: Linux Worm Exploits and Defenses
The IoT devices related to the internet. That is why they become vulnerable too.
Dr.T
Dr.T,
User Rank: Ninja
6/28/2019 | 6:44:13 PM
Re: Linux Worm Exploits and Defenses
A number of companies are doing this but after reading the report, it seems this practice is not performed across the board. Most SME would not pay enough attention to it so they mostly miss it.
Dr.T
Dr.T,
User Rank: Ninja
6/28/2019 | 6:42:14 PM
Re: Linux Worm Exploits and Defenses
I do agree the responsibility should rest with the consumer where the system asks or provides insight on how to change the admin password Anting left to consumers will be at high risk. Better to avoid expecting anything from consumers.
Dr.T
Dr.T,
User Rank: Ninja
6/28/2019 | 6:40:46 PM
For fun
the software is purely destructive; it captures no data and asks for no ransom. Researcher Ankit Anubhav traced the malware back to its origins and found the developer, who uses the online name "Light Leafon." Obviously this was for fun. Distraction is huge.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4278
PUBLISHED: 2022-12-03
A vulnerability was found in SourceCodester Book Store Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /hrm/employeeadd.php. The manipulation of the argument empid leads to sql injection. The attack may be initiated remotely. The exploit h...
CVE-2022-4279
PUBLISHED: 2022-12-03
A vulnerability classified as problematic has been found in SourceCodester Human Resource Management System 1.0. Affected is an unknown function of the file /hrm/employeeview.php. The manipulation of the argument search leads to cross site scripting. It is possible to launch the attack remotely. The...
CVE-2022-4280
PUBLISHED: 2022-12-03
A vulnerability, which was classified as problematic, has been found in Dot Tech Smart Campus System. Affected by this issue is some unknown functionality of the file /services/Card/findUser. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been ...
CVE-2022-4277
PUBLISHED: 2022-12-03
A vulnerability was found in Shaoxing Background Management System. It has been declared as critical. This vulnerability affects unknown code of the file /Default/Bd. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to t...
CVE-2022-4275
PUBLISHED: 2022-12-03
A vulnerability has been found in House Rental System and classified as critical. Affected by this vulnerability is an unknown functionality of the file search-property.php of the component POST Request Handler. The manipulation of the argument search_property leads to sql injection. The attack can ...