Earlier February, experts at VoidSec where performing ordinary maintenance on their personal website when noticed something of strange in the logs. It was a “strange” recurring pattern, revealing a brute force attack against the administrative interface of the WordPress website.
The experts noticed that all IPs involved in the attack (they were thousands) came from ranges of IP addresses associated to all the principal Italian Internet Service Providers. The involved IPS are
- Albacom, now BT-Italia
- BSI Assurance UK
The experts then tracked back the source of attack discovering that all the IPs involved were users by anAethra modem/router (BG1242W, BG8542W etc.).
As usual happen in this case, thousand of SOHO devices where compromised because they were using default credentials (blank: blank).
The interface of such devices is vulnerable to various reflected XSS, for example in the field username of the login form, in the “source host ping” field, mtrace etc. etc. – CSRF and to HTML5 cross-origin resource sharing (partly mitigated).
GET /cgi-bin/AmiWeb?path=/&operation=login&username=%3Cscript%3Ealert%28%27vsec%27%29%3B%3C/script%3E&password=&transaction=vnFS4Ztv_3@ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept-Encoding: gzip, deflate
Summarizing the experts discovered a botnet of thousands of devices, by using Shodan they were able to extract some additional information about the infected devices.
“There are many Aethra devices around the world (~ 12,000), of which 10,866 are in Italy; filtering by type they are approximately 8000 Aethra Telecommunications PBX devices, the device involved in this specific attack.
The Aethra devices (including 104 models ranging from SIP / 2.0 to Aethra VegaX3_Series_4 Videoconference System) involve 254 unique providers around the world in fifty different countries.” States the report published by VoidSec.
The botnet is considered very dangerous because Aethra modems are mainly exclusively sold for business contracts, this means that vulnerable devices belong to business is various industries and could be used to facilitate targeted attacks towards those specific companies.
“From our statistics we noticed that 70% of those devices are vulnerable (default credentials), therefore 8400 devices with a business contract (ADSL 1Mbps upload / optic fiber 10Mbps) bring a maximum output power raging from 8400 Mbps to 84000 Mbps, approximately 1-10 Gigabytes per second, that could be used for DDoS attacks.” continues the post.
The action of the Italian ISP Fastweb in a joint effort with Bug Hunters and Vendors allowed to identify and patch the vulnerability in just 7 business day. The operation allowed Voidsec to update their statistics revealing a more disturbing scenario.
“It appears that our initial estimates values, (made using only Shodan) were reductive and partly wrong; Fastweb has about 40,000 devices, but only 4% had default credentials, for a total output power ranging between 1.7 and 17 Gbps (based on average optic fiber coverage).”
Well done Fastweb!
Unfortunately, all BT Italia devices are still vulnerable.
Below the timeline published by VoidSec:
- February 13: recognition of brute force and subsequent investigations; one of mine resource contacts someone in BT-Italy.
- February 25: jrivett attempts to contact several times BT-Italia:
- sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
- sent email to the technical contact on record for Albacom.net, but this was ignored;
- tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted
- During this period, numerous articles came out about the botnet used by LizardSquad during the famous attacks on Xbox Live and Play Station Network
Krebs on Security wrotes:
“The malicious code that converts vulnerable systems into stresser bots is a variation on a piece of rather crude malware first documented in November by Russian security firm Dr. Web, but the malware itself appears to date back to early 2014.
In addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials. In this way, each infected host is constantly trying to spread the infection to new home routers and other devices.
The botnet is not made entirely of home routers; some of the infected hosts appear to be commercial routers at universities and companies, and there are undoubtedly other devices involved.”
I think that Aethra routers may have contributed extensively to the LizardSquad botnet and its expansion.
- March 2: the attacks are continuing, and BT has been warned about what happened.
- April 15: attacks are decreasing and then resuming during the following weeks.
- May 1: my resource has never received a response from BT-Italia.
- December 11: (11 months later) According to our policy, I decided to proceed with a full disclosure, I have no reason to believe that the attacks have been stopped but rather that, they are reduced their intensity and they have changed targets.
- December 11: Fastweb is made aware of the vulnerability, we agree some days of delay for the patch
- December 22: responsible disclosure and happy ending, at least for Fastweb
Enjoy the report.