Criminals are exploiting critical errors to turn Internet of Things devices from two different manufacturers into botnets that perform distributed denial-of-service attacks, researchers said this week. Both Lilin DVRs and Zyxel storage devices are affected, and users should install updates as soon as possible.
Several attack groups use the Lilin DVR vulnerability to infiltrate DDoS botnets called FBot, Chalubo and Moobot, researchers from security firm Qihoo 360 said on Friday. The latter two botnets are spin-offs from Mirai, the botnet that has used hundreds of thousands of IoT devices to bombard websites with record-breaking junk traffic.
The DVR vulnerability is based on three bugs that could allow an attacker to remotely inject malicious commands into the device. The errors are: (1) hard-coded credentials that are present in the device, (2) errors when inserting commands and (3) vulnerabilities when reading any files. The injected parameters affect the device functions for the file transfer protocol, the network time protocol and the update mechanism for the network time protocol.
Sometime in late August, Qihoo 360 researchers saw attackers use the NTP update vector to infect devices with Chalubo. In January, the researchers saw how attackers used FTP and NTP errors to spread FBot. In the same month, Qihoo 360 Lilin reported the defects. Seven days later, the researchers discovered that Moobot was spreading using the FTP vulnerability. Lilin fixed the errors in mid-February with the release of firmware 2.0b60_20200207. The CVE name for tracking the vulnerability is unknown.
The Qihoo 360 report came a day after researchers at security firm Palo Alto Networks reported that a recently fixed vulnerability in Zyxel networked storage devices was also being actively exploited. Attackers used the exploits to install another variant of Mirai called Mukashi that was recently discovered. The error in command injection before authentication allowed commands to be executed on the devices. From there, the attackers could take over devices that used easy-to-guess passwords. The critical vulnerability got a severity of 9.8 out of 10 possible points due to the simple exploitation.
A Zyxel advisory lists more than 27 products that were affected by the vulnerability that is being tracked as CVE-2020-9054. A patch released by the manufacturer fixed many of the devices, but 10 models were no longer supported. Zyxel recommended that you no longer connect these unsupported devices directly to the Internet.
Lilin or Zyxel users affected by one of these vulnerabilities should install patches if they are available for their devices. Devices that cannot be patched should be replaced with new ones. It's also wise to place the devices – and as many other IoT devices as possible – behind network firewalls to make hacks more difficult. Operators often appreciate convenient remote access to these devices, which makes locking difficult. The well-deserved reputation of IoT devices as faulty, insecure devices suggests that the threat to IoT devices from external connections can endanger networks – and even the entire Internet.