Researchers at Netscout's ASERT Team have been tracking the growth of botnets originating in Egypt and targeting routers in South Africa. The payload is a variant of the Hakai DDoS bot.
Richard Hummel is threat intelligence manager at Netscout, and he joins us to share their findings.
The original research is here:
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Richard Hummel: [00:01:53] One of the things that we track here is a lot of the IoT activity, as well as exploits to various devices.
Dave Bittner: [00:01:59] That's Richard Hummel. He's the threat intelligence manager at NETSCOUT. The research we're discussing today is titled, "Realtek SDK Exploits on the Rise from Egypt."
Richard Hummel: [00:02:10] The way we do that is through our IoT honeypot. We have deployments all over the world - dozens and dozens of these, if not close to the hundreds mark - and we sit in probably two dozen or more countries. And basically what they do - there's a couple of things that we do here. One is a passive device, and this is where we got the bulk of this research. And with these passive devices, we load up signatures to identify various exploits. So, often these are going to be exploits which have been publicly disclosed, or maybe a security researcher publishes a PoC. We can take that and we can replicate what it's going to look like across the network, and then we can build those signatures into our tracking, so that anytime an attacker or a bot attempts to exploit that vulnerability, we'll be able to log it. And so we'll see that across all of our honeypots around the world. The second factor is we monitor for reflection amplification DDoS-related stuff. So those are our two aspects of the honeypot.
Richard Hummel: [00:03:08] In this particular case, specifically, we're looking at the exploit attempts. We're tracking a lot of different exploits. I'm not going to get into actual numbers there but for this particular one we've been tracking it for a long time. We basically just saw it kind of flatline. We'd see the occasional attempt to exploit this, and then all of a sudden, starting in April, we saw this massive spike targeting this particular vulnerability, in which case this is CVE-2014-8361.
Dave Bittner: [00:03:35] Okay.
Richard Hummel: [00:03:35] And it was very significant, in that it basically had been flatlined before. So we started looking, well, why is an attacker using a multiple year old vulnerability and targeting this specifically in this particular region. And on top of that, from Egypt specifically. So we started looking around motivations. We started trying to figure out where the attackers are coming from. Is there a known botnet? Is there an increased campaign? And there's still some unanswered questions here, where we're not entirely certain the motivation behind this.
Dave Bittner: [00:04:04] Hmm.
Richard Hummel: [00:04:03] However, this type of activity is pretty common for attackers that are basically adding to their botnet. Basically, what we call recruiting. So they're going out there, they're looking for vulnerable devices. And it might be that maybe they were sitting on, like, Shodan, for instance, and they noticed that there was a bunch of different routers in South Africa that are vulnerable to this CVE. So they took advantage of the opportunity. A lot of times with crime, it is opportunistic, in which case they realized there's something that they can exploit. It's fairly easy for them to just pull this off the shelf and say, well, I'm going to go after this because I know there's thousands of these devices in South Africa, so let me just go ahead and compromise those, and I can increase my botnet size.
Dave Bittner: [00:04:44] Help me understand how it works - with the explosion of what you saw here, the sudden popularity of it, is that a result of the nature of botnets itself, that when someone discovers a vulnerability, then it sort of feeds off of itself as they go looking for more devices that are vulnerable to this?
Richard Hummel: [00:05:02] Absolutely. A lot of the IoT bots out there, they do this type of compromise or this scanning and exploitation attempts programmatically. Mirai is a good example - this is kind of the first of its kind, where it will automatically go out and try to find other devices that are vulnerable, whether that's from brute forcing attempts or various other exploits. And the same is the case for any of the IoT malware that has kind of followed after it. Hakai, actually - the DDoS botnet that's being distributed here - has been around since September. So even that is something that's older that the attackers are using. So a lot of these things, a lot of the exploits that you're going to see, a lot of the distribution capabilities, the propagation - it's all going to be time-proven tactics that work for attackers.
Richard Hummel: [00:05:43] So yeah, a new vulnerability becomes available, and next thing you know it's being slaved by a bunch of other attackers. And the same is true with various protocols that become known for DDoS or reflection amplification. Some of these protocols - Memcached is a really good one, right? There was a proof-of-concept, and then next thing you know we have the largest DDoS attack on record that occurred, and then a month later we see another one. So attackers are going to take these and they're going to weaponize those really fast.
Richard Hummel: [00:06:07] In the case of Memcached, within five days of that protocol being available, basically disclosed, it was included in what we call "booters" and "stressors," which is basically a paid-for service where you can launch DDoS at whoever you want, and it's relatively cheap to do. The same is true with a lot of the IoT bots that we see. Mirai is open source at this point, because it's been leaked. Satori - same, some of the code there, as well. So, attackers can easily take these things, they can change them to suit their needs, and then they can start loading up a lot of these different exploit attempts as they become available, or they can pull from a repertoire of past vulnerabilities like this one back in 2014.
Dave Bittner: [00:06:43] So, in terms of the flatline that you saw before this took off, so does that flatline not necessarily reflect that people had been patching or anything like that - it might just represent that no one was particularly interested in this vulnerability at the time?
Richard Hummel: [00:06:59] Could very well mean that, yes. Considering it's a 2014 vulnerability, I mean, you have five years to patch, right? So, if devices out there are not being patched and they're still vulnerable to this CVE, that's not necessarily on the manufacturer, that's unnecessarily on various end users. That could be, like, if it's an enterprise network, or maybe it's a bunch of these routers deployed in some type of ISP - maybe it's like a third-party ISP and they're just deploying old school routers, or maybe they don't know. Or maybe there's an end user at home, they don't realize, hey, I need to patch my devices, I need to change my default usernames and password. It's pretty common.
Richard Hummel: [00:07:32] So yeah, it could very well be that this particular CVE just wasn't being weaponized at the time. And then somebody sees that, hey, I'm going to scan this block of IP addresses in South Africa, and I have a whole list of maybe routers that came up. Shodan is really good for this, because you can just log in and see, okay, what kind of devices are available by the Internet in a particular region, in a particular country. Or maybe I'm looking for a specific brand of router, in which case they would be able to see that these are there and know that, hey, this device was previously vulnerable to this CVE, and then they can just grab it off the shelf and start launching attacks and see if it works.
Dave Bittner: [00:08:08] So, tell me about this router itself. Is this a consumer device? What are we talking about here?
Richard Hummel: [00:08:13] It is. Yep. So these are consumer-based devices, and so, often these aren't going to be updated. I would say that I'm even guilty of not updating my own routers often enough, which, I mean, it's fairly common, right? And I'm a cyber security professional, so I have no excuse.
Dave Bittner: [00:08:28] (Laughs)
Richard Hummel: [00:08:29] The average layperson knows it's difficult, right? Can I even log in?
Dave Bittner: [00:08:33] Right, there's an out of sight, out of mind, and I guess also combined with, if it ain't broke, don't fix it.
Richard Hummel: [00:08:38] Exactly. It's working, the Internet's working, according to anybody else using a device. And if you don't know about security, and you don't know that you can log in via your IP address to your router and change settings, well, to me, I just plug it in, it provides Internet access, and that's all I really care about. Well, I mean, you're gonna be vulnerable, because you're never gonna patch. So maybe some devices have an auto update or auto patch type thing, but often it requires manual pushing a button, and some folks just don't do that. And so, like I said I'm guilty of that myself, on occasion. And it provides all these devices that are sitting out there on the Internet vulnerable to these age old vulnerabilities and CVEs that attackers can use to enslave and create bigger botnets.
Dave Bittner: [00:09:21] And to be clear here, with this vulnerability, when someone enlists one of these devices to become part of their botnet, where the device is still functioning normally as far as the user's concerned, they wouldn't necessarily notice anything going wrong?
Richard Hummel: [00:09:37] Not necessarily. At first, I don't think they would notice anything. If there was a particular DDoS attack going, and maybe it was saturating the network with traffic, they might notice some latency. But as far as to their eyes, they're not actually gonna see anything malicious when they're browsing the internet. The most that they might notice is a little bit of downtime or a little latency as they're trying to connect. In which case, what's the solution for that? Restart the router, which is the typical thing to do. And so, that might, you know, fix the latency issues at first, and then maybe they'll come back.
Richard Hummel: [00:10:04] And so, that's kind of the reality of these things. It's like, a lot of times users just don't realize that their device is part of a botnet. We published some statistics earlier in the year, that within five minutes, IoT devices are being bruteforced by telnet attacks. Within 24 hours, they're getting exploitation attempts such as this one. At one point, for some of the IoT devices that we brought online, within sixty seconds, they were getting bruteforced by telnet attempts.
Dave Bittner: [00:10:31] Let's dig into some of the technical stuff that's actually going on here. So, the bad guys are doing their scanning, they find a device that's a good possibility for infection. What exactly is happening behind the scenes?
Richard Hummel: [00:10:45] So, once they've identified a device that is potentially vulnerable to this, they'll attempt to exploit it using this known vulnerability, and that might be just a weaponized piece of code that says, hey, I'm going to exploit this, or maybe there's a buffer overflow I'm going to get passed. Once they've successfully executed that exploit, the device is essentially compromised. And at that point, they can then deploy their code or payloads onto that compromised device.
Richard Hummel: [00:11:09] In this instance, we saw them distributing the Hakai DDoS bot. But it doesn't have to be Hakai. It can be really anything, because at that point the attackers have control over that device, that router, which is then a zombie to them, and they can issue any command that they want, really, to deploy whatever type of malware they choose. And they can also deploy different architectures, right? So if the router is running ARM or if it's running MIPS, they can deploy different types of payloads to complement those architectures and allow the bots to run in a disparate environment that has a lot of these different types of devices in it.
Dave Bittner: [00:11:44] So, in terms of what you were tracking with this, does it seem as though they are still in that bot building stage? Are they - they're gathering up the bots and haven't done anything yet? What's your sense with that?
Richard Hummel: [00:11:57] As far as we can tell, this is very much - at the time that we reported this - very much in the recruitment phase. We haven't seen any significant DDoS attacks come out of South Africa where this bot is supposedly being constructed. However, that's not to say that there isn't. We may not necessarily have visibility on every aspect of the Internet there. Our honeypots are deployed worldwide, but that doesn't necessarily mean we see a hundred percent of the Internet. And given our other statistics in what we call "Atlas," we also have visibility in approximately a third of the Internet traffic around the world. So, we do see a lot of the traffic, but there are still gaps. And it could be that attacks launched from this particular botnet - maybe they're not significant enough to really put a spike in the grander scale of the world's DDoS traffic. So, we may or may not necessarily see DDoS attacks come from this botnet, if it has been matured and finalized as far as its reach and extent. But yeah, for this particular activity that we observed, we very much believe it's in the recruitment phase.
Dave Bittner: [00:12:59] Do you have any sense for why they might be targeting South Africa?
Richard Hummel: [00:13:04] Again, we started looking into motivations or possible motivations - are there any events in South Africa? Is there political events? Is there geopolitical upheaval? Are there cross-border tensions? And the reality is we didn't find anything significant that could tie it to this. Which leads me to the conclusion that this is very much opportunistic, as I said before. They identified a bunch of routers, and they figured this is an opportunity for me to expand, let's go ahead and do it. And maybe South Africa just happened to be that conduit for them.
Dave Bittner: [00:13:33] How much of this lies with, for example, the ISP? I mean, if this is a router that's being distributed by an ISP, do they have any responsibility for pushing out updates or informing their customers that this is available?
Richard Hummel: [00:13:46] I think a lot of ISPs do this already, and most ISPs have some type of DDoS mitigation in place. I know that NETSCOUT is in pretty much all of the world's first tier ISPs and many of the second tier. And so, by the upstream-downstream nature of these devices being deployed by consumers, they're often protected by DDoS, because they have upstream protection and mitigation via either NETSCOUT or some other competitor that does DDoS mitigation. So, even though we might be establishing this botnet, and maybe the devices are being successfully compromised, that doesn't necessarily mean that they're going to be successful in their DDoS attempts. But it does mean that the devices are still compromised.
Richard Hummel: [00:14:25] And I don't know that that is an ISP directive, to let their customers know that they need to fix their stuff. Maybe there is some education that can happen via various venues. I know that's why security companies like us exist, right? Is to inform consumers and to inform the world that this is happening and that, hey, even if you are a layperson, and maybe you're not in the security business, or maybe you have no idea how to login to your router, we really want to get this information to everybody, right? That's why we do these calls, these podcasts, because we want to inform the world that, hey, this is happening. And it doesn't matter who you are, where you are, or what your skill level is - there is some level of responsibility for each person to make sure that they're securing their own devices and networks in their own homes against attacks like this.
Dave Bittner: [00:15:09] So, what is your sense of the sophistication of the group we're dealing with here? Are they custom developing their own stuff, or is this off-the-shelf components?
Richard Hummel: [00:15:18] I think by and large this is going to be mostly off-the-shelf components. The Hakai DDoS bot has been around for a while. Really anybody can take it and use it. This vulnerability has been around for five years. The fact that they maybe found routers via some type of service like Shodan that's been around for ages. I don't see anything novel, new, or sophisticated in this particular campaign. It just looks like your run-of-the-mill IoT bot attempting to broaden its reach.
Dave Bittner: [00:15:44] Now, in terms of the rest of us who are, you know, around the world looking to defend against these sorts of things, I mean, anything we need to look out for? Any ways to protect ourselves for the potential inevitable botnet that might spawn from this?
Richard Hummel: [00:15:57] (Laughs) Sure. The biggest thing I can tell you right now, especially with a lot of these use-after-free vulnerabilities, is patch. Most often that when people use responsible disclosure for various CVEs, they often work with the manufacturers and the vendors of particular devices, or maybe Microsoft or some other company, that the companies will try to get patches available before they disclose the PoC, or working PoC of the vulnerability. In which case, organizations paying attention to those can get their equipment patched, can get the routers patched, so that when the PoCs become available, and inevitably attackers start to get those PoCs and reverse engineer them to figure out how to weaponize them, devices are then already patched.
Richard Hummel: [00:16:36] The sad part of this is that there's a lot of people that have a very rigorous process of approving patches. So even if a patch becomes available, it might be six months before some organizations ever get that patch implemented, because they have to go through testing, they have to go through staging, they have to make sure no systems are going to fall over, and there's a level of acceptable risk that some organizations take in regard to this. But the reality is is that patching is probably your best bet for a lot of these things.
Dave Bittner: [00:17:04] Our thanks to Richard Hummel from NETSCOUT for joining us. The research is titled "Realtek SDK Exploits on the Rise from Egypt." We'll have a link in the show notes.
Dave Bittner: [00:17:14] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:17:24] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:17:32] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik. Technical Editor, Chris Russell. Our staff writer is Tim Nodar. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with our customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.