The 23rd of March 2018, Talos Intelligence published a research about a critical malware spreading across internet using SOHO internet devices like modem/router/firewall.
The study shows that at this time at least 500K devices has been infected by this malware, by using well known (and different) bugs present on the firmware of the targets. Right now is not clear who is actually carrying on this attack, even if it looks that Ukraine is one of the most infected countries.
The code of the attack has several overlap with an older malware dubbed “BlackEnergy”, targeting especially Ukraine as well.
The malware infeinfection is done in 3 stages:
In the first stage the malware infects the device by loading a “BusyBox” based executable, compiled for the various architectures targeted by the attack. This is a persistent part of the malware.
Once the device is infected, the second stage tries to get in touch with C&C server to get commands to be executed. There are several commands isolated during the analysis, some of them have potential destructive capability on the device itself (overwriting the device flash):
This looks like a very sophisticated attack, targeting more end-users or small organizations. The potential of such a botnet must be kept under control in any case.
The 24th of May, a new has been published: “FBI has seized a key web domain communicating with a massive global botnet of hundreds of thousands of infected SOHO routers and other NAS devices.”
At this time the list of know vulnerable devices is the following:
Mikrotik RouterOS Versions for Cloud Core Routers:
HOW TO PROTECT
Identification of the malware could be a bit difficult for end users, since the infected device is usually the one at the network border. For this reason is very important for ISP to be vigilant on suspect traffic about this, to be able to inform the owners of the affected devices.
Talos also released a set of Snort signatures available to identify the presence of the vulnerabilities.