In 2019, Palo Alto NetWorks threatened intelligence group UNIT42 found that malware Mirai has a new attack type, which is mainly based on various embedded and Internet of Things devices, with a distributed blocking service attack ( DDoS) and its self-replication is mainly, from 2016, successfully invading several targets worth noting. These locked Internet of Things include wireless projection systems, set top boxes, SD-WANs and even smart home remote controls. Mirai is a malware that enables execution of Linux computing systems into a zombie network that is remotely controlled to achieve a large-scale network attack through a botnet. Mirai’s main infection object is a consumer-grade electronic device that can access networks, such as network monitoring recorders and home routers.
Recently, Palo Altonetworks are actively trying to protect their customers from possible attacks, using its next-generation firewall as peripheral sensors to detect malicious payloads and attack methods, so Unit42 researchers can find out the threats in the network, whether they are be found.
The Unit42 researchers conducted a careful study of four Mirai variants in two attack activities using the command injection vulnerability, discovered a familiar IoT attack mode. As mentioned above, UNIT42 has found eight new iterations in 2019.
Although this general method allows researchers to observe the entire attack activity chain, even from the attack, it has obtained a malware binary file from the attack, but this post-expoitation attack does leave its attack marks: traffic fingerprint recognition. Similar services produce similar flow mode because similar codebooks and basic implementations (if not the same). Since a service can exist in multiple devices with different configurations, and a specific device has multiple brands, it is very difficult to identify sensitive devices in real time.
This paper briefly analyzes the two Internet access vulnerabilities observed in the wild and the four Mirai variants provided during the attack, and the next generation of firewall customers in Palo Altonetworks can protect them from these attacks.
Using the payload including Mirai variants
Unit42 recently found a total of four Mirai variants, which use two new vulnerabilities as an attack medium to spread Mirai. After successful use, the WGET utility downloads the shell script from the malware infrastructure. The shell script then downloads multiple Mirai binaries compiled with different architecture and performs these downloaded binaries.
As shown in Figure 1, the first vulnerability utilizes a command injecting vulnerability in a web service having an NTP server setting function. This service cannot clear the value of the HTTP parameter NTP_SERVER, causing any command to execute.
Command injection vulnerability
According to the clues obtained from the attack traffic, we narrow the range to some IOT devices that can pass through the HTTP synchronization time, and find a few vulnerable NTP server processing routines in some IoT devices. Worrying, because some suppliers do not support the product of the above firmware. Figure 2 shows a function found in the library module, although our firmware has this unsafe function, but fortunately, due to the target unified resource identifier in these firmware (URI) They are therefore unaffected by this particular attack. When we continue to analyze other IoT devices that may be synchronized by HTTP, the affected product is still identified.
Volatile code snippet in firmware
The initial attack event of the first vulnerability occurred on July 23, 2020 UTC at 05:55:06. This attack (shown in Figure 1) lasted for a few weeks, the last report was 23 points 21 points 21, 21, 2020, (UTC). At the time of writing this article, there are 42 unique alerts.
The second utilization in the wild capture is less than the context provided by the first utilization, the URL and HTTP request heads do not generate any useful information. Obviously, the parameters cleaning in the HTTP parameter PID, which leads to the command injection vulnerability, as shown in Figure 3. We speculate target services is a type of remote process management tool because there is a similar parameter mode in the attack traffic, and it may be experimental, so the usage is very low.
Command injection using the network
In just 12 seconds, a total of 48 unique attack events occurred. The attack began on August 16, 2020 at 09:04:39 (UTC), ending on August 16, 2020 at 09:04:51 (UTC), which indicates that this attack is fast and short.
We put Mirai variants to groups: 1, 2, 3, and 4. The SHA256 of each Mirai variant can be found in the “Attack Indicators” section below. Table 1 lists the attack methods of each variant and an embedded decryption key.
Communication method and solution key
Although these variants do not have exactly the same source and configuration, they have the functions required to initiate DDoS attacks. Variant 4 also has the ability to infectious infection, which makes it a more dangerous threat. Table 2 below summarizes this particular Mirai variant for infection with other susceptible to attack hosts. As in the previous sample, this variant inherits the vulnerability utilization program used in previous variants.
Variant 4 infection function
The security of the Internet of Things equipment is still worrying, and a major challenge for Internet security is that the no longer supported Internet of Things devices are still deployed and used. Unfortunately, the vulnerability in the firmware will not only disappear with the disappearance of firmware products.
This article is translated from: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/ If reproduced, please indicate the original address.