Home Tags TELNET

Tag: TELNET

Cisco kills leaked CIA 0-day that let attackers commandeer 318 switch...

Fix neutralizes attack code that was put into the wild in early March.

Cisco patches switch hijacking hole – the one exploited by the...

Telnet security flaw fix finally lands – or just use SSH, yeah? Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files.…

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices

Ongoing "BrickerBot" attacks might be trying to kill devices before they can join a botnet.

A simple command allows the CIA to commandeer 318 models of...

Bug relies on telnet protocol used by hardware on internal networks.

Cisco reports bug disclosed in Wikileaks’ Vault 7 CIA dump

More than 300 Borg switches carry critical IOS Telnet vuln the CIA knew about before Cisco It looks like Cisco won't be chasing up a partnership with Wikileaks: it's combing the "Vault7" documents itself, and has turned up an IOS / IOS XE bug in more than 300 of its switch models.…

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code...

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code ...

VU#614751: Hughes satellite modems contain multiple vulnerabilities

Several models of Hughes high-performance broadband satellite modems are potentially vulnerable to several issues if not appropriately configured.

Is Mirai Really as Black as It’s Being Painted?

The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future. To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public. The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future. How Mirai Works Based on the botnet’s source code that was published on a user forum, Mirai consists of the following components: a command-and-control center (C&C) that contains a MySQL database of all infected IoT devices (bots) and sends commands to intermediate command distribution servers; a Scan Receiver component that collects the results of each bot’s operation and forwards them to the component that downloads the bot onto vulnerable devices (the Distributor); a downloader component, which delivers the bot’s binary file to a vulnerable device (using the wget and tftp utilities – but if they are not present in the system, it uses its own proprietary downloader); a bot, which, after being launched on an infected device, connects to the command-and-control center, scans an IP range (SYN scanning) for vulnerable IoT devices and sends the scan results to the Scan Receiver component in order for further malicious code to be subsequently downloaded to the device. An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist. List of logins and passwords used by the original Mirai in its search for vulnerable IoT devices However, this is by no means all the Mirai botnet can tell us about itself. Analysis of the Botnet’s Activity All you need to do to evaluate the Mirai botnet’s current activity is to deploy a server with an open telnet port somewhere on the Internet and analyze connection attempts made by different bots. For example, we detected the first attempts to connect to our telnet port, by several different hosts, within three minutes of putting our experimental server online. Two facts indicate that these connections are made by bots of the original Mirai or its modifications (i.e., by infected devices): the accounts used by the bots in their attempts to establish a connection are found on the original botnet’s brute force word list; an analysis of connection sources has shown that infected hosts that perform scanning are in most cases IoT devices (cameras and routers of different manufacturers). Connection attempts by infected Mirai workstations in search of IoT devices using default passwords Here is a list of login and password pairs most often used by Mirai bots in connection attempts: “Login:password” combinations 1 admin : admin 2 root : xc3511 3 root : vizxv 4 root : juantech 5 root : default 6 admin : admin1234 7 root : password 8 root : root 9 root : xmhdipc 10 admin : smcadmin If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers. Admin panel for managing an IP camera that is part of the botnet As for the activity of the botnet itself, you can analyze the number of login attempts over 24 hours and see for yourself. On December 13, 2016 we recorded 5,553 attempts by Mirai bots to connect to our server, while 10 days before that, on December 3, 2016, we recorded 8,689 connection attempts. Does this mean that the botnet is losing power? Reduced activity related to searching for new potential bots might certainly be an indication that the rate at which Mirai is infecting new devices is falling, but it is too early to draw any conclusions. How to Avoid Becoming Part of the Mirai Botnet We recommend the following measures to prevent your devices from being included in the Mirai botnet: Change the default account parameters on each of your devices. Account passwords should be at least 8 characters long and include digits, upper-case letters and special characters. On each device, install the latest updates provided by the manufacturer. It is a good idea to block all potential entry points to the operating system on your devices (telnet/SSH/web panel, etc.) from being accessed over the Internet. More details about the Mirai botnet are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email intelreports@kaspersky.com

Nmap security scanner gets new scripts, performance boosts

The Nmap Project just released the Holiday Edition of its open source cross-platform security scanner and network mapper, with several important improvements and bug fixes. New features in Nmap 7.40 include Npcap 0.78r5, for adding driver signing updates to work with Windows 10 Anniversary Update; faster brute-force authentication cracking; and new scripts for Nmap Script Engine, the project’s maintainer Fyodor wrote on the Nmap mailing list. The de facto standard network mapping and port scanning tool, Nmap (Network Mapper) Security Scanner is widely used by IT and security administrators for network mapping, port-scanning, and network vulnerability testing. Administrators can run Nmap against the network to find open ports, determine what hosts are available on the network, identify what services those hosts are offering, and detect any network information leaked, such as the type of packet filters and firewalls in use. With a network map, administrators can spot unauthorized devices, ports that shouldn’t be open, or users running unauthorized services. The Nmap Scripting Engine (NSE) built into Nmap runs scripts to scan for well-known vulnerabilities in the network infrastructure. Nmap 7.40 includes 12 new NSE scripts, bringing the total to 552 scripts, and makes several changes to existing scripts and libraries. The ssl-google-cert-catalog script has also been removed from NSE, since Google is no longer supporting the service. Known Diffie-Hellman parameters for haproxy, postfix, and IronPort have been added to ssl-dh-params script in NSE. A bug in mysql.lua that caused authentication failures in mysql-brute and other scripts (affecting Nmap 7.52Beta2 and later) have been fixed, along with a crash issue in smb.lua when using smb-ls. The http.lua script now allows processing HTTP responses with malformed header names. The script http-default-accounts, which tests default credentials used by a variety of web applications and devices against a target, adds 21 new fingerprints and changes the way output is displayed. The script http-form-brute adds content management system Drupal to the set of web applications it can brute force. The brute.lua script has been improved to use resources more efficiently. New scripts added to NSE include fingerprint-strings, to print the ASCII strings found in service fingerprints for unidentified services; ssl-cert-intaddr, to search for private addresses in TLS certificate fields and extensions; tso-enum, to enumerate usernames for TN3270 Telnet emulators; and tso-brute, which brute-forces passwords for TN3270 Telnet services. Nmap 7.40 adds 149 IPv4 operating system fingerprints, bringing the current total to 5,336 OS fingerprints. These fingerprints let Nmap identify the operating system installed on the machine being scanned, and the list includes a wide range of hardware from various vendors. The latest additions are Linux 4.6, macOS 10.12 Sierra, and NetBSD 7.0. The Amazon Fire OS was removed from the list of OS fingerprints because “it was basically indistinguishable from Android.” Nmap also maintains a list of service fingerprints so that it can easily detect different types of services running on the machine. Nmap now detects 1,161 protocols, including airserv-ng, domaintime, rhpp, and usher. The fingerprints help speed up overall scan times. Nmap 7.40 also adds service probe and UDP payload for Quick UDP Internet Connection, a secure transport developed by Google that is used with HTTP/2. A common issue when running a network scan is the time it takes to complete when some of the ports are unresponsive. A new option—defeat-icmp-ratelimit—will label unresponsive ports as “closed|filtered” in order to reduce overall UDP scan times. Those unresponsive ports may be open, but by marking the port this way, administrators know those ports require additional investigation. Source code and binary packages for Linux, Windows, and MacOS are available from the Nmap Project page.

Sony kills off secret backdoor in 80 internet-connected CCTV models

Magic 'secret key' HTTP request opens up admin control Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices. The hardcoded logins can be potentially used by malware, such as variants of the Mirai bot and its ilk, to automatically and silently commandeer swathes of Sony-built CCTV cams on the internet – and use the gadgets to launch attacks on other systems or spy on their owners.

The vulnerable gizmos are branded Sony Professional Ipela Engine IP cameras. The backdoor was discovered by Stefan Viehböck of Austrian infosec outfit SEC Consult in October; we're told an advisory will be published here today.

Firmware updates to kill off the vulnerability are already available from sony.co.uk. "We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said. The firmware contains two hardcoded, permanently enabled accounts in the builtin web-based admin console: debug with the password popeyeConnection, and primana with the password primana.

The latter, coupled with magic strings in the URL, unlocks telnet access, potentially granting administrative access to the camera via a command line. Later models can open an SSH server, too. For example, the following URLs, once sent to a vulnerable web-facing device, will enable telnet access: http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk This triggers the prima-factory.cgi program in Sony's fifth-generation Ipela Engine cameras to open the backdoor by starting inetd, which is configured to run a telnet daemon on port 23.
Sixth-generation cams use the magic string "himitunokagi", which is Japanese for "secret key". Once the telnet or SSH service is active, you can login as root and get command-line-level access to the operating system if you can crack these password hashes: $1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models) iMaxAEXStYyd6 (gen-6 models) SEC Consult reckons it'll only be a matter of time before the hashes are cracked, revealing the hardcoded root login password, so it's recommended firmware updates are applied to at-risk cameras before they are infected by miscreants. "We have not invested much time into cracking the root password, but this is only a matter of time and computing power, so eventually it will be cracked by someone," Johannes Greil, head of SEC Consult's Vulnerability Lab, told The Register. "We want vendors to get their act together and make more secure products out of the box and not actually harm their users with insecure IoT products. Publishing the root account password and making the devices an instant Mirai-botnet target is of no good to anyone." The devices also have a default username and password combo of admin:admin for the web-based admin console.

The primana account in the builtin web server gets you access to device testing and calibration features, and the debug account opens up other features SEC Consult has yet to explore. The affected models use firmware version 1.82.01 or earlier if they are fifth generation, or 2.7.0 or earlier if they are sixth generation.

Firmware versions 1.86.00 and 2.7.2 contain the fixes, we're told.
Specifically, if you have any of the following models, you should check if you have the latest firmware installed: SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C. "SEC Consult recommends you not to use these products until a thorough security review has been performed by security professionals," the infosec biz warns. ® Sponsored: Customer Identity and Access Management

Printer security is so bad HP Inc will sell you services...

Finally, FINALLY, someone is turning off Telnet and FTP Printer security is so awful HP Inc is willing to shut off shiny features and throw its own dedicated bodies at the perennial problem. The tech giant is offering the professional security services under its new and far-harder-than-before "Secure Managed Print Services" offering unveiled today. Security types will also provide ongoing risk assessments and audit passing for the horridly hackable hardware, and handle firmware updates and password resets. The HP printers are shipped in a hardened state with shiny but dangerous features and ports closed by default in a move that reduces the attack surface available to external hackers. The obvious hacker-bait Telnet and FTP facilities inexplicably included in printers are on the hardening chopping block, as are other unspecified geriatric features. More interfaces will be decommissioned in the future as HP successfully wrangles popular software providers to move to more secure networking options. Thankfully remote capabilities remain to allow Shodan users external HP experts to log in and monitor the security health of device fleets. The tech company is continuing its hardening approach decommissioning old cipher suites and protocols, and upping administration and encryption settings for new and old HP printers. “Networked printers can no longer be overlooked in the wake of weakening firewalls to the growing sophistication and volume of cyberattacks,” HP South Pacific printer boss Ben Vivoda says. ® Sponsored: Customer Identity and Access Management

Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs

Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege Analysis The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected.

The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so. Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers.
Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers.

Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL. KCOM told El Reg that Mirai was behind the assault on its broadband customers, adding that: "ZyXEL has developed a software update for the affected routers that will address the vulnerability." The timing and nature of this patch remains unclear. ZyXEL told El Reg that the problem stemmed from malicious exploitation of the maintenance interface (port 7547) on its kit, which it was in the process of locking down. With malicious practice in place, unauthorised users could access or alter the device's LAN configuration from the WAN-side using TR-064 protocol. ZyXEL is aware of the issue and assures customers that we are handling the issue with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers, Econet, with chipsets RT63365 and MT7505 with SDK version #7.3.37.6 and #7.3.119.1 v002 respectively. Last week a widespread attack on the maintenance interfaces of broadband routers affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany.
Vulnerable kit from ZyXEL also cropped up in the Deutsche Telekom case. Other victims include customers of Irish ISP Eir where (once again) ZyXEL-supplied kit was the target. The Post Office confirmed that around "100,000 of our customers" have been affected and that the attack had hit "customers with a ZyXEL router". ZyXEL routers are not a factor in the TalkTalk case, where routers made by D-Link are under the hammer.

TalkTalk confirmed that the Mirai botnet was behind the attack against its customers, adding in the same statement that a fix was being rolled out. Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm.

A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers. We do believe this has been caused by the Mirai worm – we can confirm that a fix is now in place, and all affected customers can reconnect to the internet. Only a small number of our customers have the router (a D-Link router) that was at risk of this vulnerability, and only a small number of those experienced connection issues. The Post Office is similarly promising its customers that a fix is in the works. Post Office can confirm that on 27 November a third party disrupted the services of its broadband customers, which impacted certain types of routers.

Although this did result in service problems we would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers. It's unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives.

The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc.

The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates. Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: "The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign. "So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection.

This prevents the ISP from applying an update that would solve these issues.

The botnet gains a longer life as users seldom reboot their routers unless they're experiencing a problem." Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon. Daniel Miessler, director of advisory services at IOActive, commented: "Recent attacks to Deutsche Telekom, TalkTalk and the UK Post Office will be felt by hundreds of thousands of broadband customers in Europe, but while the lights stay on and no one is in any real physical or financial danger, sadly nothing will change.
IoT will remain fundamentally insecure. "The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better.

The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example." ® Sponsored: Customer Identity and Access Management