Angry gamers may have been behind last year’s web-breaking DDoS attack
Targets included Brazilian Minecraft servers and the PlayStation Network
https://www.theverge.com/2017/8/18/16170536/mirai-ddos-playstation-network-dyn-internet-angry-gamers

Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.

The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.

During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.

“This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”

Vulnerabilities Summary

The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.

It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.

So, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead and added vulnerable code inside.

Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.

these cameras are likely affected by a pre-auth RCE as root

What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

Nearly 200,000 WiFi Cameras Open to Hacking Right Now
https://www.bleepingcomputer.com/news/security/nearly-200-000-wifi-cameras-open-to-hacking-right-now/

What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.

The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected.

According to Kim, the cameras are affected by a total of seven security flaws. The biggest ones are listed below.

Backdoor account – Telnet runs by default, and everyone can log in with the following credentials

Pre-auth info and credentials leak – An attacker can bypass device authentication procedures by providing empty “loginuse” and “loginpas” parameters when accessing server configuration files

Pre-auth RCE as root – An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

Streaming without authentication – An attacker can access the camera’s built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

Cloud – The camera provides a “Cloud” feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device’s credentials.

Nearly 200,000 vulnerable cameras available online right now

Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras.

“I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet,” Kim said in a blog post. “Hundreds of thousands [of] cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”

Effects users

Malware infection detection by the user, is difficult. The malware can slow down the operation of the device or prevent its normal use altogether. Contaminated equipment likely to be involved in the user’s knowledge, for example, denial of service attacks and to use the interface capacity.

The open home routers to the Internet service enables remote exploit the device to be contaminated. After contamination of the device tends to infect other similar devices and will become part of a bot network. formed hijacked botnets devices are used, for example, denial of service attacks. remote management of devices commonly used TCP port 7547.

FICORA considers that the conditions for traffic filtering in this case, as defined in the Act have been met and has recommended that telecom operators to filter traffic port TCP / 7547 in order to prevent the exploit. Several telecommunications companies have begun to traffic filtering.

Currently, there are known the following manufactured Zyxel ADSL modems to be vulnerable. the list below will be updated as new information is obtained vulnerable devices:

Zyxel AMG1302-T11C
Zyxel AMG1312-T10B
Zyxel AMG1202-T10B (no longer marketed) What software

Zyxel P-660HN-T1A (No longer available)
Zyxel P660HN-T1Av2 (No longer available)

It is very likely that the vulnerability applies to other devices.

The malware is removed, the release also Rebooting and the telecommunications operator’s traffic filtering.

Sources:
http://www.tivi.fi/Kaikki_uutiset/yli-10-000-suomalaista-modeemia-kaapattu-nain-estat-mirai-haittaohjelman-toiminnan-6603349
https://www.viestintavirasto.fi/kyberturvallisuus/varoitukset/2016/varoitus-2016-04.html

Currently listing 48 devices vulnerable to the main TR-064/TR-069 issue. Scans will reveal more. Not scanning for the cmd inject though.

Source: https://twitter.com/info_dox/status/803244427300978688

German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

Information on current problems
https://www.telekom.com/en/media/media-information/archive/information-on-current-problems-444862

A Mirai-based worm leverages a recently disclosed attack vector to hijack routers and modems. Researchers determined that a large number of devices around the world could be vulnerable to attacks.

Numerous devices have been infected by Mirai and many others could easily get compromised. The malware is responsible for some of the largest distributed denial-of-service (DDoS) attacks in history and it has been increasingly used by malicious actors after its source code was leaked.

Researchers at BadCyber were recently contacted by an individual in Poland who discovered that his Zyxel AMG1202-T10B gateway had been rebooting every 15-20 minutes. An analysis revealed that hackers managed to remotely execute malicious commands on the device by injecting them into the network time protocol (NTP) server name field. The value of the NTP server name is parsed as a command without being validated, leading to an RCE vulnerability.

The malicious code was inserted into the NTP server name field via the TR-064 protocol, which allows ISPs to manage devices on their networks. The problem is that some devices are configured to accept TR-064 commands from the Internet, allowing attackers to abuse the feature for malicious activities.

Researchers warned earlier this month that TR-064 commands can be sent to D1000 modems provided by Ireland-based ISP Eir.

A Shodan search showed that tens of thousands of D1000 modems are affected. BadCyber conducted its own search and found more than 5 million devices exposing the TR-064 service, with a majority located in Brazil, India, the UK and various other European countries.

The SANS Institute’s Internet Storm Center has also observed attack attempts on port 7547, the port used by TR-064. The organization identified roughly 41 million devices with the 7547 port open and its honeypots receive a request every 5-10 minutes.

German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.

In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren’t intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.

Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either “root” or “admin.” When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program’s release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.