Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > When Vulnerabilities Travel Downstream

When Vulnerabilities Travel Downstream

zach_w
Trending

CVEs Assigned to Upstream Devices Exploited by Mirai IoT Botnet

 

Key Findings

  • While investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.
  • Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or remote login services like Telnet or SSH, default credentials may pose a great risk to a device.
  • In this case, default credentials can be used to “Telnet” to vulnerable devices, turning them into “bots” in a botnet.

 

Manufacturer of Upstream Devices Identified

While investigating the recent large-scale DDoS attacks against targets including Krebs On Security and OVH, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511, respectively. These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.

The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. The download link for the older CMS binary is in the config.js file.

Image 1: The default login page of Xiongmai Technologies “Netsurveillance” and “CMS” software. The download link for the older CMS binary is in the config.js file.

Why are default credentials such a bad thing?

Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or a remote login services like Telnet or SSH, default credentials may pose a great risk to a device. In this case, the default credentials can be used to “Telnet” to the device. This tactic turns vulnerable devices into “bots” in a botnet. These credentials have been targeted for quite some time, but on a significantly smaller scale than that of the Mirai Botnet. In fact, the majority of media coverage surrounding Mirai has outed Dahua products as a primary source of compromised devices. However, Flashpoint’s analysis on the attack data shows that while Dahua devices are indeed being compromised, a very large percentage of these  IP involved in the DDoS attacks were hosting XiongMai Technologies-based products. The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.

The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials has led to the assignment of CVE-2016-1000245 by the Distributed Weakness Filing Project.

Web Authentication Vulnerabilities Uncovered

During the investigation, Flashpoint identified an additional vulnerability. There is a trivial web authentication bypass present on all devices running XiongMai Technologies “CMS” or “NetSurveillance” software. The login URL for the device, http://<IP_address_of_device>/Login.htm, prompts for a username and password. Once the user logs in, the URL does not change but instead loads a second page: DVR.htm. While researching CVE-2016-1000245, Flashpoint identified a vulnerability that the web authentication can be bypassed by navigating to DVR.htm prior to login. This vulnerability has been assigned CVE-2016-1000246. It should be noted, both vulnerabilities appear in the same devices. Any DVR, NVR or Camera running the web software “uc-httpd”, especially version 1.0.0 is potentially vulnerable. Out of those, any that have the “Expires: 0” field in their server header are vulnerable to both.

Utilizing Shodan, a search engine for online devices, the number of affected devices becomes apparent. As of September 23, the height of the attacks, there are over 560,000 devices running uc-httpd web server software. However, according to a September 28 search with the addition of “Expires: 0”, nearly 470,000 devices have been confirmed vulnerable to both CVEs. Therefore, out of all uc-httpd 1.0.0 devices in the world as of October 6, over 515,000 are vulnerable.

Final Notes

Large-scale DDoS attacks can potentially cause widespread negative effects for both IoT manufacturers and retailers. As such, IoT manufacturers are encouraged to consider security in the early stages of product development to help proactively reduce their risk. Since default passwords with default services contributed to device vulnerabilities during recent attacks, manufacturers may want to adjust these specifications in future product designs. Regarding IoT retailers, the primary concern is the potential damage to brand reputation following an attack. In order to help mitigate this risk, retailers are encouraged to work closely with manufacturers to establish and uphold security standards for IoT devices. Flashpoint’s observations following these recent attacks underscore the importance of IoT vulnerability risk awareness for both retailers and manufacturers.

The complete technical advisory is available here: http://www.flashpoint-intel.com/wp-content/uploads/2016/10/Technical-Advisory.pdf

 

About the author: Zach Wikholm

zach_w

Zach Wikholm is a Research Developer at Flashpoint, where he specializes in information security and Internet of Things (IoT) risk analysis. Driven by lifelong interests in cyber threat research, emergent malware, and all things open-source (especially Linux), Zach has built a career around designing custom systems to help organizations achieve the optimal balance between security and usability. Prior to Flashpoint, Zach’s extensive experience in security engineering and IT consulting led to his role managing all internal security and network infrastructure operations as the Director of Security at CARI.net.