Advisory

Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Security Advisory

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities 

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

  • The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
  • It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
  • Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary 

OEM SonicWall 
Severity High 
CVSS 8.2 
CVEs CVE-2024-53704 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Authentication CVE-2024-53704 SonicWall  High 7.1.x (7.1.1-7058 and older), 7.1.2-7019 
8.0.0-8035 
A privilege escalation vulnerability CVE-2024-53706 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A weakness in the SSLVPN authentication token generator CVE-2024-40762 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A server-side request forgery (SSRF) vulnerability CVE-2024-53705 SonicWall Medium 6.5.4.15-117n and older 
7.0.x (7.0.1-5161 and older) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2024-53704  Gen7 Firewalls, Gen7 NSv, TZ80 An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.  Bypass authentication 
 CVE-2024-53706  Gen7 Cloud Platform NSv A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.  Allow attackers to gain root privileges and potentially execute code. 
  CVE-2024-40762  Gen7 Firewalls, Gen7 NSv, TZ80 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN. 
 CVE-2024-53705  Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. Allow attackers to establish TCP connections to arbitrary IP addresses and ports 

Remediation

  • Update: Impacted users are recommended to upgrade to the following versions to address the security risk: 
 Firewalls Versions Fixes and Releases 
Gen 6 / 6.5 hardware firewalls SonicOS 6.5.5.1-6n or newer 
Gen 6 / 6.5 NSv firewalls SonicOS 6.5.4.v-21s-RC2457 or newer 
Gen 7 firewalls SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher 
TZ80: SonicOS SonicOS 8.0.0-8037 or newer 

Recommendations: 

  • Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory. 
  • Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access. 
  • Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts. 
  • Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities. 

References: 

Security Advisory

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

  • Typosquatting: Using package names that closely resemble popular or legitimate libraries.
  • Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
  • Targeted Ecosystems: npm and PyPI, critical platforms for developers.

             Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

  • Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
  • Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
  • Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

  • larpexodus (PyPI): Executes a PowerShell script to download malware.
  • Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

  • Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
  • Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
  • Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
  • Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

  • Avoid downloading software from unofficial or unverified sources.
  • Regularly update packages and dependencies to the latest versions.
  • Conduct periodic security awareness training for developers and IT teams.

References:

Scroll to top