Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet thats used in a host of online attacks, researchers said on Tuesday.
The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.
On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers.
The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of “admin:admin” or “root:admin” for remote administration. Heres what the scanning activity looks like:
The exploit causes Tomato routers that havent been locked down with a strong password to join an IRC server thats used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable. The image below shows the execution flow of the new variant as it combines various modules that scan the Internet for vulnerable servers:
Attackers use the botnet to infect targets with multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. Muhstik relies on multiple command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down. The Muhstik name comes from a keyword that pops up in the exploit code.
“The new Muhstik botnet variant demonstrates that IoT botnet keeps expanding the botnet size by adding new scanners and exploits to harvest new IoT devices,” PRead More – Source