Activity Summary - Week Ending on 20 January 2023:
- Red Sky Alliance identified 23,585 connections from new IP’s checking in with our Sinkholes
- Achtung - ovh[.]com in Germany hit 197x
- Analysts identified 472 new IP addresses participating in various Botnets
- Red Sky Sinkhole Data Collection – last 90 Days
- IoT Botnet Threats 2023
- Electricity and Physical/Cyber Threats
- DNV still has Issues
IP |
Contacts |
135.125.237.141 |
88 |
2.57.122.60 |
82 |
209.141.60.62 |
79 |
90.156.168.255 |
58 |
172.177.202.205 |
55 |
135.125.237.141. was found in our database. This IP was reported 197 times. Confidence of Abuse is 100% ISP: OVH SAS; Usage Type: Data Center/Web Hosting/Transit; Hostname(s): vps-87137a11.vps.ovh.net; Domain Name: ovh.com; Country: Germany, City: Limburg an der Lahn, Hessen |
Red Sky Alliance Compromised (C2) IP’s
On 18 January 2023, Red Sky Alliance identified 23,585 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.
Top 5 Malware Variant and number of contacts. Sality and Corkow has consistently remain the top variants. |
Red Sky Alliance Malware Activity
Malware Variant |
Times Seen |
sality |
20746 |
corkow |
1319 |
shiz |
431 |
betabot |
410 |
sykipot |
349 |
For a full black list – contact analysts: info@wapacklabs.com
Red Sky Alliance Botnet Tracker
On 18 January 2023, analysts identified 472 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).
First_ Seen |
Botnet Attribution |
Infected Host’s IPv4 Address |
2023-01-13T18:29:45 |
HTTP proxy|port:999 |
8.242.176.197 |
2023-01-13T13:10:18 |
HTTP proxy|port:999 |
38.10.247.234 |
2023-01-17T11:10:49 |
HTTP proxy|port:999 |
38.49.140.254 |
2023-01-17T19:00:51 |
HTTP proxy|port:8080 |
41.57.16.3 |
2023-01-14T21:20:20 |
HTTP proxy|port:1981 |
41.65.168.55 |
Red Sky Alliance Sink Hole Data Collection
Red Sky run a sinkhole which collects many indicators from known, former malicious domains. This data is proprietary and not available from any other source.
Last 90 Days
Our analysts observed 725,222 hits in the last 90 days. We then further researched the IP origination to ascertain where the malicious activity emanated. The below pie chart shows the various nations where this activity derived.
Countries:
India – 47%
US – 17%
Malaysia – 17%
MALICIOUS CYBER TRENDS:
IoT Botnet Threats - Our friends at FortiGuard Labs have been closely monitoring the IoT botnet threat landscape for new and emerging campaigns. Researchers do this with the assistance of Fortinet honeypots they have deployed to capture active attacks. Below provides analysis into the data collected from our monitoring system over the past year.[1]
- Affected Platforms: Linux
- Impacted Users: Any organization
- Impact: Remote attackers gain control of the vulnerable systems
- Severity Level: Critical
Attack Origins: FortiGuard distributed honeypot systems allow them to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial of Service (DDoS) attacks. These malware campaigns primarily brute force Telnet and SSH credentials to gain access to IoT devices and then execute their bot binaries. In 2022, a total of over 20 million successful brute force attacks were recorded by our system. Figure 1. shows the number of successful brute force attacks against our honeypots by month.
Screenshot of Figure 1: Attack volume by month
Based on 121,799 unique attacker IPs observed in 2022, see a breakdown of where IPs were hosted by country (Figure 2).
Figure 2: Attacker IPs by country
In terms of attack volume, see a breakdown of where the majority originate from based on where servers are hosted (Figure 3).
Figure 3: Attack volume by country
Top Vulnerabilities: Aside from brute forcing credentials to infect devices, IoT malware also takes advantage of vulnerabilities to spread, such as in the Beastmode Mirai campaign we discussed in April. Monitoring system identifies possible exploitation requests being used by malware samples. From over a hundred vulnerabilities targeted by IoT malware samples that were captured last year, we primarily observed attempts to exploit CVE-2017-17215, an old Remote Code Execution (RCE) vulnerability targeting Huawei HG532 routers. In fact, over 30% of the malware samples containing embedded exploits target this vulnerability (Figure 4).
Figure 4: Top vulnerabilities targeted
In terms of the actual volume of attacks in the wild, based on 30-day Fortinet IPS telemetry, we can see that the IPS signature Huawei.HG532.Remote.Code.Execution detected efforts to exploit CVE-2017-17215. We captured an average of 80,000 daily detections, peaking at 160,000.
Figure 5: Huawei.HG532.Remote.Code.Execution (CVE-2017-17215) 30-day Daily Detection Count
Researchers also found the following CVEs from 2022 being targeted:
- CVE-2022-26186 (TOTOLINK Routers RCE)
- CVE-2022-26210 (TOTOLINK Routers RCE)
- CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 (TOTOLINK Routers RCE)
- CVE-2022-22947 (Spring Cloud Gateway RCE)
- CVE-2022- 29013 (Razer Sila Gaming Router RCE)
- CVE-2022-1388 (F5 BIG-IP iControl RCE)
- CVE-2022-22954 (VMware Workspace ONE Access RCE)
- CVE-2022-23377 (Archeevo LFI)
- WordPress cab-fare-calculator plugin 1.0.3 (LFI)
- WordPress video-synchro-pdf plugin 1.7.4 (LFI)
It is important to note that although there were attempts to target Local File Inclusion (LFI) vulnerabilities, they were not properly implemented to successfully exploit them. The most actively exploited vulnerability from the list above is the CVE-2022-22954. It targeted VMware Workspace ONE Access. The VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution IPS signature recorded an average of 80,000 daily detections based on a 30-day Fortinet IPS telemetry. A previous post from October noted that this vulnerability is also a hot target for other non-IoT malware campaigns.
Figure 6: VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution (CVE-2022-22954) 30-day Daily Detection Count
We also observed that the F5 BIG-IP iControl CVE-2022-1388 (F5.BIG-IP.iControl.REST.Authentication.Bypass) was another popular vulnerability, experiencing a daily average of 25,000 hits, peaking at 50,000.
Figure 7: F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388) 30-day Daily Detection Count
Top Architecture
Based on FortiGuard research, the majority of IoT malware is built to run on an ARM 32-bit architecture— comprising almost three-quarters of all samples captured (Figure 8). The “script file” label is for plaintext Bash scripts with the purpose of downloading and installing the payload binary after brute forcing or exploitation.
Top Malware Families: Figure 9. shows the most common malware families detected by our systems, grouped by month. Mirai and Gafgyt variants are predominant, with Kyton, a Gafgyt/Mirai hybrid, being one of the most heavily distributed families in terms of volume. Being a Gafgyt/Mirai hybrid, Kyton reuses code from other Mirai variants to exploit CVE-2017-17215 (Huawei Router HG532), JAWS Webserver RCE, or CVE-2014-8361 (Realtek SDK). Samples tagged as _unknown on the graph (Figure 9.) are malware yet to be linked to any known malware campaigns. They could be fresh botnets infecting our honeypots.
Figure 9: Top IoT malware families by month
Noteworthy Families: As shown in the Figure 9. statistics, while most of the active IoT botnets last year were based on Mirai and Gafgyt, there were several campaigns that stood out from the crowd. In mid-March, for example, we encountered Enemybot, which at the time was the latest botnet campaign from the threat group Keksec. It was a hybrid of Gafgyt and Mirai and was using the TOR network to mask its real Command and Control (C2) servers. RapperBot is a DDoS botnet that we encountered in mid-June. This malware is interesting because it was using an embedded SSH client to spread and because we observed unusual changes to its variants that made us question its primary motivation. In October 2022, we observed a new campaign from potentially the same threat actors targeting servers for popular games.
Finally, Zerobot is a DDoS botnet written in the Go programming language (also known as Golang) that FortiGuard Labs first encountered in November 2022. It utilizes both old and recent vulnerabilities to spread, and uses WebSockets to communicate with its C2 servers.
The Rise of Golang IoT malware: Another trend that we saw with IoT botnets was the rise of samples written in Golang despite its compiled binaries having relatively much larger file sizes. A Golang ELF binary executable can easily be above 4MB in size, whereas normal Mirai and Gafgyt binaries fall below 300KB. For this reason, some campaigns use the UPX packer to help reduce the file size. Up through October 2022, one of the C2 servers (176[.]65[.]137[.]5) listed in our Zerobot report historically distributed the Mirai-based SORA variant. It then switched to distributing Zerobot the month after. For example, hxxp://176[.]65[.]137[.]5/bins/zero[.]x86 served a UPX-packed SORA binary in October 2022 (Figure 10.), but similar URLs with the zero.{arch} filename were later seen distributing Zerobot instead. The switch from distributing SORA to Zerobot, but using the same campaign filename is interesting as these families do not share a common C2 protocol. The intent behind the switch remains unclear.
Figure 10: file zero.x86 downloaded from ZeroBot C2 vis-à-vis SORA sample
Apart from Zerobot, we are also highlighting several additional Golang botnets caught by our honeypots. In early November 2022, researchers collected samples of a DDoS botnet that supports only TCP-based DDoS attacks. This botnet is named Rose, based on the source code previously hosted on GitHub. The bot configures ZTE and Huawei devices to prevent their exploitation, similar to the Mozi botnet reported by Microsoft. FortiGuard also came across a simple DDoS bot that calls itself “nyancat” (Figure 11.), as seen in the path of the source files used to compile the binary. The path also suggests that the bot was compiled in a Windows environment. This bot extends publicly available botnet code on GitHub to perform HTTP-based Denial of Service (DoS) types of attacks on top of existing TCP, UDP, and Valve Source Engine (VSE) attacks.
Figure 11: nyancat source file name
Researchers also found another DDoS botnet also compiled in Windows from the same source file base path (Figure 12.), C:/Users/Admin/Music.
Figure 12: Another Windows compiled DDoS bot
This botnet also looks like an adaptation of another source code on GitHub that supports HTTP GET, HULK, GoldenEye, TLS and basic TCP and UDP types of DoS attacks (Figure 13.).
Figure 13: Function comparison between the two DDoS bots
It is possible that these two samples were compiled by the same threat actor, given that the binaries were built from source code located in similar directories on Windows machines and that some of the functions share similar names and code.
Figure 14: Panchan botnet strings
Another malware FortiGuard captured is Panchan (Figure 14.), a Golang-based XMRig miner that was documented by Akamai around June 2022 but with earlier samples found as early as March.
Conclusions: IoT malware is very much alive and continues to exploit both old and new vulnerabilities to infect devices and propagate themselves. While most of them target router vulnerabilities, there are notable exceptions, like the popular F5 BIG-IP iControl CVE-2022-1388 and VMware Workspace ONE Access CVE-2022-22954 vulnerabilities. Data from our telemetry also verifies that even old vulnerabilities from 2014 are still being actively exploited. Mirai and Gafgyt-based malware still dominate the IoT threat landscape in terms of the sheer volume of samples. There is also a growing variety of malware written in the Go programming language, possibly fueled by the increasing availability of malware source code in public repositories like GitHub, which makes it easy for unsophisticated threat actors to build and operate their own botnets. With this increased interest in using Golang for malware development, we expect to see even more Golang IoT botnets this year.
Known threats:
- ELF/Mirai!tr
- ELF/Zerobot!tr
- ELF/Generic!tr
- Linux/DDoS_Agent!tr
- Riskware/CoinMiner
Known vulnerabilities:
- CVE-2022-29013 - Razer.Sila.Gaming.Router.Command.Injection
- CVE-2022-26186/CVE-2022-26210 - Totolink.Router.Cstecgi.Command.Injection
- CVE-2022-25075 to CVE-2022-25084 - Totolink.Router.Main.Function.Query_String.Command.Injection
- CVE-2022-22954 - VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution
- CVE-2022-22947 - Spring.Cloud.Gateway.Actuator.Endpoint.Remote.Code.Execution
- CVE-2022-1388 - F5.BIG-IP.iControl.REST.Authentication.Bypass
- CVE-2018-20062 - ThinkPHP.Controller.Parameter.Remote.Code.Execution
- CVE-2018-10561 - Dasan.GPON.Remote.Code.Execution
- CVE-2017-18368 - TrueOnline.ZyXEL.P660HN.V1.Unauthenticated.Command.Injection
- CVE-2017-17215 - Huawei.HG532.Remote.Code.Execution
- CVE-2015-2051 - D-Link.Devices.HNAP.SOAPAction-Header.Command.Execution
- CVE-2014-8361 - D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution
- D1000.Modem.CWMP.Command.Injection
- DVR.CCTV.Shell.Unauthenticated.Command.Execution
- Eseries.Router.Remote.Command.Execution
IOCs: Files:
- 8332871673d8e9d90c95a463e1bdc73b1fae1a59b46767cab1c0c9257de4e7f5
- ebe891df3802d21c34d1821c5c772d77de4c6e71eb84690ec19aecb923a95aca
- fd47e446e72d7eb6e75f4990c192559c349b92f60fa6f57508fde646cf8317aa
- 51f45d81f00e65a29b02231e5eba7ac850094fa00172668daf439d28d544717e
- 038271675df68c56ce147852093fcb795cbde55198d33f4be52d6d102689764d
- 56ab2c3f334f73b986c64180d5c82d4050a583ff06da0873ff4750be4a02bbaf
- 8dceacda8288e61769a9ccf6900dff45d500679440b006138d4746ebf15cc664
- e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50
- 1c1817e9c32dcf70871505a39d235d0f424f985d13998706ed0ed6aaffc20da6
- b4cd314c832f046143d200285dd1fb96f1f7443bc0e3d321614225bf77783160
- 5f73c66e72118cb2d18ff839e9f94d1d0e1da44a5c76a0972c537652eacf708b
Download URLs
- hxxp://176[.]65[.]137[.]5/bins/zero[.]x86
C2:
- 176[.]65[.]137[.]5
- 194[.]87[.]84[.]154
GLOBAL TRENDS:
Electricity and Physical/Cyber Threats – Physical and cyber threats are often directly connected. The recent physical attacks on the US electric grid, if it continues, will affect cyber operations and security. Amid a growing cyber threat to the US electric grid, 2022 ended with a spate of physical attacks that could portend new security rules for some energy infrastructure, say experts. “The physical substation attacks toward the end of last year raised the alarm bell,” Dragos, said in an email.[2]
Multiple substations in Washington were recently damaged last month which resulted in more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And the North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers. “Unfortunately, with 55,000 substations nationally, there are obvious risk-based limitations on addressing physical threats that need to be managed,” Dragos said. “The industry should expect further regulatory inquiries and potential actions from the federal government in response.”
The North American Electric Reliability Corp. (FERC) oversees a set of critical infrastructure protection standards, known as CIP, governing rules for Bulk Electric System power equipment. “I am hearing rumors that [the Federal Energy Regulatory Commission] may require NERC and the industry to revisit CIP-014, which is the physical security standard for critical BES transmission substations,” said the former director of critical infrastructure protection at Southwest Power Poo. FERC could consider stricter rules for more substations that operate between 200 kV and 499 kV, said Perry. But he added, “I don’t see FERC mandating costly physical security protections for those substations that engineering studies determine do not have a significant reliability impact if damaged or destroyed.”
Cost is a major barrier to improving physical security, experts agreed, particularly because grid equipment is often in remote areas and the electric system is designed with redundancies in place. Loss of a single substation, for instance, should not cause an outage. “What are you gonna do wrap everything in Kevlar? That would be a very poor use of regulation, in my opinion,” said the CEO and co-founder of NetRise.
While physical attacks may have grabbed headlines, the cyber threat is growing and hackers in Russia, China, Iran and North Korea all have sophisticated hacking abilities, say experts. And the rise of distributed energy resources creates a larger attack surface. The Federal Energy Regulatory Commission is considering developing new cybersecurity rules for DERs on the bulk electric system, and the US Department of Energy is funding “next-generation” cybersecurity research, development and demonstration projects. The NetRise CEO formerly worked with DOE, where he focused on industrial control systems security and said he expects more focus on software security in the coming year. That could include the potential for a software bill of materials, or SBOM, to be required for some vendors of some energy or grid-related services. The requirements would likely be “very prescriptive,” he said.
Modern software is constructed of many components, making vulnerabilities difficult to track, say experts. The federal government and the electric power sector are collaborating on an initiative to more readily disclose what components go into grid software. “I predict that the biggest cyber threat to the power industry in 2023 won’t be direct hacks like those depicted in the movies, but supply chain attacks, especially those that come through software,” said an independent security consultant. “These are currently the least understood of cyber-attacks, and aren’t directly covered by the NERC CIP standards.” Electric utilities “should be prepared for the increasing sophistication of supply chain compromise threats,” Roya Gordon, a security expert at Nozomi Networks, said in an email.
DNV Maritime Attack – Last week (01 09 2023), we reported on the cyber attack of the Norway based ship app (TR-23-090-001). DNV then admitted it is confirming that a recent ransomware cyber-attack on its fleet management software has impacted around 1,000 ships. The cyber-attack was discovered on the evening of Saturday, 7 January 20237, on its ShipManager fleet management and operations platform, forcing the class society to shut down the software’s IT servers. DNV now confirms that 70 customers and a total of 1,000 vessels are affected by what it says was a ransomware attack.[3] There are no indications that any other software or data by DNV is affected and the server outage does not impact any other DNV services. All users can still use the onboard, offline functionalities of the ShipManager software.
[1] https://www.fortinet.com/blog/threat-research/2022-iot-threat-review?lctg=141970831
[2] https://www.utilitydive.com/news/substation-attacks-may-lead-to-new-energy-security-rules-in-2023-experts-s/640138/
[3] https://gcaptain.com/dnv-confirms-ransomware-attack-impacting-1000-ships/