Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-05-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Something Wicked this way comes

Published: 2018-05-21
Last Updated: 2018-05-21 15:03:29 UTC
by Rick Wanner (Version: 1)
0 comment(s)

The latest Mirai-based botnet is Wicked.  Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.  

Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:

  • 80: Invoker Shell in compromised Web Servers 
  • 81 - CCTV-DVR 
  • 8443 - Netgear R7000 and R6400 (CVE-2016-6277)
  • 8080 - Netgear DGN1000 and DGN2200

The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.

After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers, providing at least some anecdotal evidence that the two are related. 

Fortinet has an excellent analysis of their research into this attempted exploitation.

Threatpost provides some more detail into the Wicked behaviour.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
0 comment(s)
ISC Stormcast For Monday, May 21st 2018 https://isc.sans.edu/podcastdetail.html?id=6005
Diary Archives