A newly discovered spam botnet targeted over 100,000 home routers through a UPnP vulnerability.
According to Netlab 360 researchers Hui Wang and RootKiter, the botnet, which they’re calling “BCMUPnP_Hunter,” infected 116 different types of devices. They estimated over 100,000 IP addresses belonging to home routers with Broadcom UPnP enabled have been infected.
The botnet was able to take hold through a vulnerability in the Broadcom UPnP protocol. UPnP, or Universal Plug and Play, is a web protocol that enables devices to connect to a network and automatically discover each other and their respective configurations.
Wang and RootKiter also noted that the botnet works on a self-built proxy network that is implemented by the threat actor and communicates with popular email servers, such as Outlook, Hotmail and Yahoo Mail. They said they “highly suspect” the motivation of the threat actor behind this botnet is to send spam messages.
The infected routers were made by a wide variety of vendors, including D-Link, Linksys, ZTE, TP-Link, Zyxel and others. The researchers said they’ve scanned 3.37 million unique IP addresses that have been infected by this spam botnet, but they believe it’s limited to approximately 100,000 actual devices with changing IP addresses — still a large amount of infected devices.
Wang and RootKiter said they’ve been tracking this botnet since September and noticed it scans about 100,000 IP addresses every one to three days. The scans happen on TCP port 5431.
“The interaction between the botnet and the potential target takes multiple steps. It starts with TCP port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL,” they explained in a blog post. “After getting the proper URL, it takes another four packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”
The researchers also noted that, according to Shodan, the number of potential infections may reach 400,000. Primarily, the spam botnet has infected routers in India, with 147,700 infected IPs; the United States, with 22,300 infected IPs; and China, with 19,200 infected IPs.
Another UPnP vulnerability was discovered earlier in 2018 by Akamai Technologies. The researchers found nearly 400 models of home routers across 73 different brands were susceptible to the vulnerability, and attackers were misusing it to launch Network Address Translation injections.
In other news:
- HSBC Bank disclosed that it suffered a data breach in October affecting customers in the United States. The bank sent a notice to customers alerting them of unauthorized access to accounts between Oct. 4, 2018, and Oct. 14, 2018. HSBC said it suspended online access to the accounts when it detected the breach and reached out to some affected customers. In its notice to customers, HSBC said the accessed information included “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history, where available.” HSBC said it has since bolstered its authentication process. It’s unclear exactly how many customer accounts were affected, and it’s unclear if everyone who was affected was notified.
- Cisco issued 15 security updates this week, one of which was a backdoor account. This is the seventh backdoor account patched this year alone by Cisco. The first two were patched in March and affected Cisco Prime Collaboration Provisioning and the Cisco IOS XE operating system. Since then, there was one in May that affected the Cisco Digital Network Architecture, one in June that affected the Cisco Wide Area Application Services, one in July that affected the Cisco Policy Suite Cluster Manager, and one in September that affected the Cisco Video Surveillance Manager. Now, this latest patch fixes a backdoor account in the Cisco Small Business Switches. “The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system,” Cisco wrote in a security advisory. “An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.”
- The Apache Foundation this week issued a warning that developers need to update to the most recent version of Apache Struts because of a new vulnerability. The warning said publicly accessible websites could be exposed to potential remote code execution attacks because of the vulnerability. Developers should ensure their websites and applications run Apache Struts versions 2.5.12 or later to defend against this vulnerability, tracked as CVE-2016-1000031. The flaw is a deserialization error that could enable code in a Java Object to run. This would give threat actors the ability take control over the server and take various types of nefarious actions. “Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload,” Apache explained. “The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”