Nov 12, 2021
80 Views
0 0

Millions of Routers, IoT Devices at Risk from New Open-Source Malware

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
BotenaGo, written in Google’s Golang programming language, can exploit more than 30 different vulnerabilities.
Newly surfaced malware that is difficult to detect and written in Google’s open-source programming language has the potential to exploit millions of routers and IoT devices, researchers have found.
Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday.
The malware, which is written in Golang—a language Google first published in 2007–works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.
Register now for our LIVE event!
Golang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it’s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.
Indeed, research from Intezer, which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.
Researchers said at this time they don’t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don’t seem to recognize the malware, sometimes misidentifying it as a variant of Mirai malware, Caspi wrote.
BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the ‘dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.
In its last step before fully engaging, BotenaGo calls the function ‘scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,” Caspi wrote.
Register now for our LIVE event!
Once it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple “GET” request. It then searches the returned data from the “GET” request with each system signature that was mapped to attack functions.
Researchers detail several possible attacks that can be carried out using this query. In one,  the malware maps the string “Server: Boa/0.93.15” to the function “main_infectFunctionGponFiber,” which attempts to exploit a vulnerable target, Caspi wrote.
This allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as CVE-2020-8958. A SHODAN search turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.
“In total, the malware initiates 33 exploit functions that are ready to infect potential victims,” Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.
There are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports–31421 and 19412—that are used in an attack scenario, Caspi wrote.
“On port 19412 it will listen to receive the victim IP,” he wrote. “Once a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.”
The second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.
“For example, if the malware is running locally on a virtual machine, a command can be sent through telnet,” he wrote.
Given its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.
“Bad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,” observed Erich Kron, security awareness advocate at security firm KnowBe4, in an email to Threatpost.
Attackers that can be launched once a hacker takes over a device and piggybacks on the network it’s using include DDoS attacks, which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim’s internet connection, Kron observed.
Given the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.
Share this article:
Immutable storage and more: Sonya Duffin, data protection expert at Veritas Technologies, offers the Top 10 steps for building a multi-layer resilience profile.
Researchers warn that CVE-2021-34484 can be exploited with a patch bypass for a bug originally addressed in August by Microsoft.
Google researchers have detailed a widespread watering-hole attack that installed a backdoor on Apple devices that visited Hong Kong-based media and pro-democracy sites.
Daniel Hallmark on


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
#Ransomware volumes are up 1000%. Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs , dis… https://t.co/HmAkFn3XNY
1 day ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.