Security News

An unpatched Domain Name System bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found. "The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device," Nozomi's Giannis Tsaraias and Andrea Palanca wrote in the post.

Taiwanese hardware vendor QNAP urged customers on Monday to disable Universal Plug and Play port forwarding on their routers to prevent exposing their network-attached storage devices to attacks from the Internet. UPnP Port Forwarding allows network devices to communicate seamlessly and create groups for easier data sharing.

A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec. The particular threat group specializes in crypto-mining and DDoS; both supported by botnet malware that can nest in IoT devices and hijack their computational resources.

A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team said.

A Mirai-based distributed denial-of-service botnet tracked as Beastmode has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. The authors of DDoS botnets did not waste any time and added these flaws to their arsenal to take advantage of the opportunity window before Totolink router owners applied the security updates.

A newly discovered data wiper malware that wipes routers and modems has been loosely linked to the cyberattack that targeted the KA-SAT satellite broadband service on February 24, affecting thousands in Ukraine and tens of thousands across Europe. To destroy data on compromised devices, the wiper overwrites file contents with up to 0x40000 bytes of data or uses MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control system calls.

"The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the M?ris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers, enabling the attackers to gain unauthenticated, remote administrative access to any affected device.

Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things devices as a go-between for establishing communications with the command-and-control servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center said.

ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. Intelligence agencies from the U.K. and the U.S. have characterized Cyclops Blink as a replacement framework for VPNFilter, another malware that has exploited network devices, primarily small office/home office routers, and network-attached storage devices.

Cyclops Blink malware has infected ASUS routers in what Trend Micro threat researchers say looks like an attempt to turn infected devices into command-and-control servers for future attacks. ASUS says it's working on a remediation for Cyclops Blink and will post software updates as they become available.