Security Bulletin #130 – 19 June 2017
New IoT Botnet Targets IP Cameras
Researchers from Trend Micro have detected a new Internet of Things (IoT) botnet called ‘Persirai’ targeting 1000 internet protocol (IP) cameras. It had detected 120,000 IP cameras that are vulnerable to ELF_PERSIRAI.A via Shodan. Many of these vulnerable users are unaware that their IP Cameras are exposed to the internet, which makes it significantly easier for the perpetrators behind the malware to gain access to the IP Camera web interface via TCP Port 81, Trend Micro added. Once commands from the sever have been received, the IP Camera will exploit a zero-day vulnerability to automatically attack other IP cameras, allowing attackers to get the password file from the user, giving them the means carry out command injections regardless of password length. What’s more, Trend Micro explained that the affected IP Camera receives a command from the C&C server, instructing it to perform a DDoS attack on other computers via User Datagram Protocol (UDP) floods. Notably, Persirai can perform User Datagram Protocol (UDP) DDoS attack with SSDP packets without spoofing IP address. Trend Micro found that the C&C servers were using the IR country code, managed by an Iranian research institute which restricts it to Iranians only and some special Persian characters which the malware author used. IP Camera owners should also implement other steps to ensure that their devices are protected from external attacks. In addition to using a strong password, users should also disable UPnP on their routers to prevent devices within the network from opening ports to the external Internet without any warning.
Vaping, e-Cigarettes Can Be Used to Hack Computers
Security researcher Ross Bevington showcased a presentation at BSides London, reported by Sky News that revealed how an e-cigarette could be used to intercept network traffic or control the computer by making it think the e-cig is a keyboard. Many e-cigarettes can be charged over USB, and Bevington said that takes just a few simple tweaks to the vaporizer to turn it into a weapon that can download malicious payloads from the web. Many enterprises today block the use of USB ports, which would prevent an attack like this—but some do not, so users should beware. A saving grace is that e-cigs don’t have that much memory, so complex code is a no-go. This puts limitations on how elaborate a real attack could be made. Health risks to the body from vaping may not be fully known; however, it seems the health risks to your information or cybersecurity could be disastrous.
A PHP rootkit that can take over a server hiding it in PHP server modules
The Dutch developer Luke Paris has created a rootkit that hides in PHP server modules that could be used by attackers to take over web servers. While classic rootkits work on the lowest levels of the operating system, intercepting kernel operations to perform malicious actions, Luke Paris successfully attempted to create a rootkit that interacts with the PHP interpreter, instead of the OS kernel that is much more complex. Paris’ PHP rootkit allows attackers to gain persistence on the hacked server without getting detected. According to Paris, the use of PHP modules to hide rootkits is very effective for the following reasons: 1) Accessibility 2) Stability 3) Detectability 4) Portability. The PoC code hooks into the PHP server’s “hash” and “sha1” functions, the rootkit is composed of only 80 lines of code, and it is quite easy for a hacker to hide it in legitimate modules. To prevent attackers from using his code, Paris has omitted some of its parts, making compilation harder for non-expert PHP developers.
CERTFR-2017-AVI-184: Multiples vulnerabilities in ISC BIND (16 June 2017)
CERTFR-2017-AVI-183: Multiples vulnerabilities in Google Chrome (16 June 2017)