Original Issue Date:-November 18, 2021
Virus Type:-Backdoor/Malware botnet
It has been reported that a newly surfaced malware written in Google’s open-source programming language Golang, is targeting Linux-embedded routers and Internet of Things (IoT) devices through botnets. The malware is utilizing 33 different exploits to compromise routers and IoT devices. It works by creating a backdoor to the device and then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.Infection Mechanism:
The new Golang-based malware botnet incorporates more than 30 exploits for a variety of routers, modems, and Network-attached Storage (NAS) devices. As listed by Alien Labs, the vulnerabilities with CVE numbers, which can be exploited by new BotenaGo malware are listed below. In addition, some of the vulnerabilities have also been disclosed without CVE.
|CVE-2020-8515||DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 22.214.171.124_Beta, and 1.4.4_Beta devices|
|CVE-2015-2051||D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier|
|CVE-2016-1555||Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 126.96.36.199|
|CVE-2017-6077||NETGEAR DGN2200 devices with firmware through 10.0.0.50|
|CVE-2016-6277||NETGEAR R6250 before 188.8.131.52.Beta, R6400 before 184.108.40.206.Beta, R6700 before 220.127.116.11.Beta, R6900, R7000 before 18.104.22.168.Beta, R7100LG before 22.214.171.124.Beta, R7300DST before 126.96.36.199.Beta, R7900 before 188.8.131.52.Beta, R8000 before 184.108.40.206.Beta, D6220, D6400, D7000|
|CVE-2018-10561, CVE-2018-10562||GPON home routers|
|CVE-2013-3307||Linksys X3000 1.0.03 build 001|
|CVE-2016-11021||D-Link DCS-930L devices before 2.12|
|CVE-2018-10088||XiongMai uc-httpd 1.0.0|
|CVE-2020-10173||Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m|
|CVE-2013-5223||D-Link DSL-2760U Gateway|
|CVE-2020-8958||Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024|
|CVE-2019-19824||TOTOLINK Realtek SDK based routers, this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.|
|CVE-2020-10987||Tenda AC15 AC1900 version 15.03.05.19|
|CVE-2020-9054||Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2, Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2|
|CVE-2017-18368||ZyXEL P660HN-T1A v1 TCLinux Fw $220.127.116.11 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline|
|CVE-2014-2321||ZTE F460 and F660 cable modems|
|CVE-2017-6334||NETGEAR DGN2200 devices with firmware through 10.0.0.50|
The malware botnet deploys a backdoor on the compromised device, and then waits for commands – either from a remote operator or a malicious module on the device – to initiate an attack. As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.
On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim’s IP. Then, it loops through mapped exploit functions to execute them with the supplied IP. Once BotenaGo gains access, it will execute remote shell commands to recruit the device into the botnet. Depending on which device is targeted, the malware uses different links to fetch a matching payload.
Indicators of Compromise
- SHA256- 0c395715bfeb8f89959be721cd2f614d2edb260614d5a21e90cc4c142f5d83ad
Best practices and remedial measures:
- It is recommended to keep the software up to date with latest security updates.
- Install the latest firmware and use a properly configured firewall.
- Ensure minimal exposure to the Internet on Linux servers and IoT devices.
- Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
- It is advised to carry out timely patching of internet-connected devices to avoid becoming a victim of BotenaGo or any other IoT botnets.
Additional measures for securing IOT devices:
- Restrict Web Management Interface access of IoT devices to authorized users only and change default username/passwords
- Always change Default login credentials before deployment in production.
- Change default credentials at device startup and ensure that passwords meet the minimum complexity.
- Disable Universal Plug and Play (UPnP) on IoT devices unless absolutely required.
- Users should be aware of the installed devices and their capabilities. If a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Control access to the devices with Access List
- Configure devices to "lock" or log out and require a user to re-authenticate if left unattended
- Identify systems with default passwords and implement abovementioned measures. Some the systems that need to examined are Routers, switches, web applications and administrative web interfaces, ICS systems, Telnet and SSH interfaces
- Implement account lockout policies to reduce the risk of brute forcing attacks.
- Telnet and SSH should be disabled on device if there is no requirement of remote management
- Configure VPN and SSH to access device if remote access is required.
- Configure certificate based authentication for telnet client for remote management of devices
- Implement Egress and Ingress filtering at router level.
- Report suspicious entries in Routers to your Internet Service Provider
- Keep up to date Antivirus on the computer system
- Keep up-to-date on patches and fixes on the IoT devices, operating system and applications.
- Unnecessary port and services should be stopped and closed.
- Logging must be enabled on the device to log all the activities.
- Enable and monitor perimeter device logs to detect scan attempts towards critical devices/systems.
References for CVE: