Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BotenaGo Botnet Targets Millions of IoT Devices with 33 Exploits

BotenaGo Botnet Targets Millions of IoT Devices with 33 Exploits

The new BotenaGo malware botnet has been discovered using over thirty exploits to attack millions of routers and IoT devices.

BotenaGo was written in Golang (Go), which has been exploding in popularity in recent years, with malware authors loving it for making payloads that are harder to detect and reverse engineer.

In the case of BotenaGo, only six out of 62 AV engines on VirusTotal flag the sample as malicious, and some identify it as Mirai.

Also Read: How PII Data Works In Businesses And Its Advantages

BotenaGo goes primarily unnoticed by AV scanners
BotenaGo goes primarily unnoticed by AV scanners
Source: AT&T

Targeting millions of devices

BotenaGo incorporates 33 exploits for a variety of routers, modems, and NAS devices, with some notable examples given below:

  • CVE-2015-2051, CVE-2020-9377, CVE-2016-11021: D-Link routers
  • CVE-2016-1555, CVE-2017-6077, CVE-2016-6277, CVE-2017-6334: Netgear devices
  • CVE-2019-19824: Realtek SDK based routers
  • CVE-2017-18368, CVE-2020-9054: Zyxel routers and NAS devices
  • CVE-2020-10987: Tenda products
  • CVE-2014-2321: ZTE modems
  • CVE-2020-8958: Guangzhou 1GE ONU

Researchers at AT&T who analyzed the new botnet found that it targets millions of devices with functions that exploit the above flaws.

An example given is the search string for Boa, which is a discontinued open-source web server used in embedded applications and one that still returns nearly two million internet-facing devices on Shodan.

Also Read: How To Check Data Breach And How Can We Prevent It

Shodan search returned 2 million results on Boa
Shodan search returned 2 million results on Boa
Source: AT&T

Another notable example is the targeting of CVE-2020-10173, a command-injection flaw in Comtrend VR-3033 gateway devices, of which 250,000 are still exploitable.

When installed, the malware will listen on two ports (31412 and 19412), where it waits for an IP address to be sent to it. Once one is received, the bot will exploit each vulnerability on that IP address to gain access.

BotenaGo mapping attack functions.
BotenaGo mapping attack functions.
Source: AT&T

Once BotenaGo gains access, it will execute remote shell commands to recruit the device into the botnet.

Depending on which device is targeted, the malware uses different links to fetch a matching payload.

At the time of the analysis, though, there were no payloads on the hosting server, so none could be retrieved for analysis.

Furthermore, the researchers didn’t find an active C2 communication between BotenaGo and an actor-controlled server, so they give three potential explanations on how it operates:

  1. BotenaGo is only one part (module) of a multi-stage modular malware attack, and it’s not the one responsible for handling communications.
  2. BotenaGo is a new tool used by Mirai operators on certain machines, a scenario that is backed by common payload dropping links.
  3. The malware isn’t ready to operate yet, and a sample from its early development phase leaked in the wild accidentally.

In conclusion, the appearance of BotenaGo in the wild is unusual given its incomplete operational status, but its underlying capabilities are leaving no doubt about the intention of its authors.

Fortunately, the new botnet has been spotted early, and the indicators of compromise are already available. Still, as long as there’s a wealth of vulnerable online devices to exploit, the incentive is there for the threat actors to continue the development of BotenaGo.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us