Noticias y Eventos

Auth Bypass Bug Exploited, Affecting Millions of Routers

09/08/2021

2A mere three days after disclosure, cyberattackers are hijacking home routers from 20 vendors & ISPs to add them to a Mirai-variant botnet used for carrying out DDoS attacks. An authentication-bypass vulnerability affecting multiple routers and internet-of-things (IoT) devices is being actively exploited in the wild, according to researchers.

The security flaw, tracked as CVE-2021-20090, was disclosed last week by researchers at Tenable. It affects devices from 20 different vendors and ISPs (ADB, Arcadyan, ASMAX, ASUS, Beeline, British Telecom, Buffalo, Deutsche Telekom, HughesNet, KPN, O2, Orange, Skinny, SparkNZ, Telecom [Argentina], TelMex, Telstra, Telus, Verizon and Vodafone), all of which use the same firmware from Arcadyan. In all, millions of devices worldwide could be vulnerable.

Tenable demonstrated in a proof of concept (PoC) that it’s possible to modify a device’s configuration to enable Telnet on a vulnerable router and gain root level shell access to the device.

“The vulnerability exists due to a list of folders which fall under a ‘bypass list’ for authentication,” according to Tenable’s advisory on August 3. “For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:

http://<ip>/images/..%2findex.htm

http://<ip>/js/..%2findex.htm

http://<ip>/css/..%2findex.htm

“To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal,” the advisory continued.

eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices

Some bad actors are honing tools to go after small fry: This variant was refined to target not one, but two vendors’ devices that are common in SOHO setups.

Operators of the nearly-year-old eCh0raix ransomware strain that’s been used to target QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns have, gotten more efficient. According to researchers, both have put out a new variant that can target either vendors’ devices in a single campaign.

In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.

HBS is used for backup, restoration and synchronization between local, remote and cloud storage spaces. On April 21, users of devices marketed by the Taiwanese vendor – Quality Network Appliance Provider (QNAP) – began to report attacks that, it turned out, abused this same flaw. Hundreds of users were extorted, as BleepingComputer reported at the time.

On June 21, Unit 42 spotted an attack targeting QNAP HBS3 with an exploit of CVE-2021-28799. It’s not the first time this bug was exploited to deliver Qlocker, researchers said, but it’s the first time it’s been pried open to deliver eCh0raix, aka QNAPCrypt ransomware: an unusual Linux ransomware that was used to target QNAP NAS servers in 2019.

Researchers shared an image of the payload – shown below – which was still live at the time the report was published on Tuesday. “The attack tried to utilize a hard-coded session ID ‘jisoosocoolhbsmgnt’ to bypass authentication and execute a command on the device, aiming to fetch malware from the remote server 64[.]42[.]152[.]46 and run it on the victim device,” Unit 42 said.

Exploited to Spread Mirai Variant
Just three days after disclosure, on Friday, cybersecurity researchers from Juniper Networks said they had discovered active exploitation of the bug.

“We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”

Cleaving close to Tenable’s PoC, the attackers are modifying the configuration of the attacked device to enable Telnet using “ARC_SYS_TelnetdEnable=1” to take control, according to Juniper. Then, they proceed to download the Mirai variant from a command-and-control (C2) server and execute it.

Mirai is a long-running botnet that infects connected devices and can be used to mount distributed denial-of-service (DDoS) attacks. It burst on the scene in 2016, when it overwhelmed servers at the Dyn web hosting company, taking down more than 1,200 websites, including Netflix and Twitter. Its source code was leaked later that year, after which multiple Mirai variants began to crop up, in a barrage that continues to this day.

Some of the scripts in the current set of attacks bear resemblance to previously observed activity picked up in February and March, according to Juniper.

“The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote. “Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.”

In addition to the router bug, Juniper researchers observed the following known vulnerabilities being exploited to gain initial access to target devices:

CVE-2020-29557 (DLink routers)
CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
CVE-2021-31755 (Tenda AC11)
CVE-2021-22502 (MicroFocus OBR)
CVE-2021-22506 (MicroFocus AM)
In fact, the attackers have been continuously adding new exploits to its arsenal, according to the posting, and CVE-2021-20090 is unlikely to be the last.

“It is clear that threat actors keep an eye on all disclosed vulnerabilities,” researchers concluded. “Whenever an exploit PoC is published, it often takes them very little time to integrate it into their platform and launch attacks.”

To avoid compromise, users should update their firmware on the router.

“In the case of IoT devices or home gateways, the situation is much worse as most users are not tech-savvy and even those who are do not get informed about potential vulnerabilities and patches to apply,” according to Juniper. “The only sure way to remedy this issue is to require vendors to offer zero-down-time automatic updates.”

AUTHOR: TARA SEALS

The eCh0raix operators have branched out: Payload analysis shows that they’ve gone beyond their typical targeting of QNAP devices to also target Synology NAS devices, thereby enabling the ransomware to ensnare both vendors’ devices, Unit 42 researchers found.

Timeline
As far as unit 42 can determine, there’s been no analysis yet of malware samples that would show eCh0raix ransomware targeting Synology devices before this. “Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only previous research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found,” they elaborated.

The first time that Unit 42 researchers saw this dual-vendor variant was September 2020. Maybe the combined variant was authored at that time and the attackers had separate code bases to target the vendors’ devices in separate campaigns before that, they suggested: a hypothesis that’s confirmed by the new variant’s project name, as revealed in compilation paths in GoLang binaries: “rct_cryptor_universal” (/home/dev/GoglandProjects/src/rct_cryptor_universal).

“Prior samples of eCh0raix use the project name qnap_crypt_worker,” researchers pointed out. Between June and September 2020, they did see other eCh0raix samples using that rct_cryptor_universal project name, but September 2020 was when they first saw a full-blown sample with two separate code flows.

Nearly a Quarter-Million Vulnerable NAS Devices
It looks like eCh0raix is virulent: Victims have been posting their tales on forums, claiming to have paid ransoms of bitcoin valued at about $500 at the time, as recently as June 16, 2021.

Unit 42 researchers estimated that there are about 240,000 internet-connected QNAP NAS devices and only about 3,500 Synology NAS devices, meaning that adding Synology to its hit list didn’t significantly boost the ransomware’s attack surface. Still, a quarter-million potential targets is nothing to sneeze at.

Why Nickel-and-Dime SOHO users?

They’re going after small fry because small office/home office (SOHO) NAS devices can be used “as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms,” Unit 42 suggested.

“We’re releasing our findings about this new variant of eCh0raix to raise awareness of the ongoing threats to the SOHO and small business sectors,” the researchers explained. “Coverage of the ransomware crisis tends to focus on threats to large enterprises and government agencies, which are facing increasingly aggressive and disruptive ransomware attacks. However, the SOHO and small business sectors can contain a large attack surface for threat actors.”

Speech Technology Сenter has developed a voice robot that will remind you of your doctor’s appointment and inform you on how to prepare for your procedure

23.06.2021

Speech Technology Center, a Sber ecosystem company, has created a voice recognition robot that optimizes the work of medical institutions.

This virtual assistant can remind you of your doctor’s appointment, saving time from missed appointments for other patients and increasing the throughput of medical institutions, which is especially important today. Additionally, as part of an appointment reminder call, the robot can advise you on how to prepare for or reschedule your appointment. Premiered at the Sber booth during CIPR 2021, this development has the key goals of streamlining doctors’ workload and increasing the availability of medical care in polyclinics. The solution should improve doctors’ efficiency and reduce the number of patients who are unprepared for their procedures.

The technologies and products used to create this voice robot were drawn up in Speech Technology Center’s R&D division: these products employ proprietary NLU technology for speech recognition and synthesis.

Speech synthesis allows the robot to actually “speak”. The robot’s voice was developed from scratch using synthesis, which made it possible to achieve the virtual assistant’s uniquely smooth speech patterns, with correct intonation and semantic accents. We tried to make the timbre and manner of speech as natural and smooth as possible, bringing them as close to the normal human speech as possible. Speech recognition technology is being used to understand what the patient is saying. What makes this technology special is its ability to recognize spontaneous speech that is not always intelligible, like if a patient calls in from a noisy environment or interrupts the robot.

Another thing that makes SOHO users tempting targets is that they don’t have the heavy-duty watchdogs that protect enterprises, Unit 42 continued: “SOHO users typically do not employ dedicated IT or security professionals, which makes them less prepared to block ransomware attacks than larger organizations.”

Alec Alvarado, Threat Intelligence Team Lead at digital risk protection provider Digital Shadows, told Threatpost on Tuesday that large organizations getting hit with ransomware gets most of the big headlines, but that “threats of ransomware at the individual and small business levels are still widely prevalent.”

Cybercriminals are “looking for the low-hanging fruit to cast as wide of a net as possible and increase their potential return on investment,”  he commented. “NAS devices provide ample opportunity for attacks at the individual level and could be used for extortion or lateral movement into larger networks. The increase in work-from-home models has created a BYOD nightmare for defenders, and NAS devices are included in that. Threat actors, much like water, are trying to find the path of least resistance, and NAS devices could prove a good option for a foot in the door.”

Cover Your NAS
Unit 42 passed along these best practices for protecting home offices from ransomware attacks:

Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website.
Create complex login passwords to make brute-forcing more difficult for attackers.
Limit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network attacks that are used to deliver ransomware to devices.
About Those Hard-Coded Credentials
The big “if only”: If only there weren’t any hard-coded credential to begin with. Alvarado noted that the new variant’s exploit of a hard-coded credential is just the latest example of why hard-coding device credentials is widely seen as an unsafe practice that’s resulted in compromise on multiple occasions.

“Once these devices are distributed, it is only a matter of time for threat actors to discover the hard-coded credentials and use the information maliciously,” he said via email. “Then it is even more challenging to patch these devices, as the hard-coded credentials are integral for the device to operate. Furthermore, users of these devices aren’t likely to have the ability to disable the function or change the password, let alone they are likely unaware the hard-coded credentials are in use.”


AUTHOR: LISA VAAS

LINK: eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices | Threatpost

WhatsApp