Hacker free-for-all fights for control of home and office routers everywhere

https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/

The post went on to report that while the January operation by the FBI put a dent in the infrastructure Pawn Storm depended on, legal constraints prevented the operation from preventing reinfection. What’s more, the botnet also comprised virtual public servers and Raspberry Pi devices that weren't affected by the FBI action.

“This means that despite the efforts of law enforcement, Pawn Storm still has access to many other compromised assets, including EdgeServers,” the Trend Micro report said. “For example, IP address 32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a proxy in a credential phishing attack on February 6 2024 against various government officials around the world.”

Still going strong 8 years on

The botnet dates back to at least 2016 and has undergone multiple revisions over the years that have assembled a wide variety of hacking and proxy tools. The researchers wrote:

The malicious code consists of a collection of bash scripts, Python scripts, and a few malicious Linux binaries like SSHDoor. Functions in the bash scripts include the ability to retrieve specific information on the compromised hosts, including folders, system users, computing power, installed software, cryptocurrency wallets, passwords, and internet speed—valuable information to attacker groups. The collection of scripts also contains a script to install a SOCKS5 proxy with and without authentication, and a function to connect to the C&C server to upload information and download additional components. On compromised VPS hosts or routers with sufficient computing power, additional components for mining the Monero cryptocurrency might also be present.

A key element in the suite of scripts and malicious binaries is SSHDoor, a backdoored SSH daemon that allows attackers to steal legitimate credentials while users log in. It also makes persistent access possible, either through an SSH public key pair or via extra credentials that may be used by the malicious actor to log in. It is likely that the latter function was used by Pawn Storm to gain access to botnet’s nodes since its operator poorly protected their stolen assets. According to our research, the botnet operator used SSHDoor binaries that are available on public repositories while only minimally modifying the default credentials, making brute forcing the extra credentials in the backdoored SSH server an easy task for an adversary like Pawn Storm.

Though the FBI advisory mainly talks about Ubiquiti EdgeRouters being part of the botnet, Trend Micro’s telemetry and our research found that more Linux based devices are part of the botnet. In fact, any Linux-based internet facing router could be affected, especially those that were shipped with default credentials. In particular, Raspberry Pi devices and VPS servers in datacenters that form an XMRig mining pool for Monero cryptocurrency are part of the same botnet.

Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024. We have evidence that the botnet operator controls more Monero mining pools aside from this one.

Credit: Trend Micro

Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024. We have evidence that the botnet operator controls more Monero mining pools aside from this one.
Credit: Trend Micro

A large number of the bots also have an open SOCKS5 server, which we later identified to be MicroSocks, an open source SOCKS5 server software. Note that connections to these SOCKS5 servers may originate from anywhere. The port on which the SOCKS5 server is running is usually reported back to a C&C server of the botnet that the FBI disrupted. In some cases, the actor used a slightly different adapted version of MicroSocks with both the listening address (all interfaces) and port (56981/tcp) predefined.

The MicroSocks binary is commonly located at /root/.tmp/local. In late February 2024, the threat actors added authentication with a username and password in MicroSocks, recompiled it, and then reuploaded it to the bots.

The Trend Micro post was published on the same day that researchers from security firm Fortinet reported the discovery of a new botnet that targets a 9-year-old vulnerability in DLink routers.

{
"by": "thunderbong",
"descendants": 2,
"id": 40231641,
"kids": [
40235155
],
"score": 18,
"time": 1714612111,
"title": "Hacker free-for-all fights for control of home and office routers everywhere",
"type": "story",
"url": "https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/"
}
{
"author": "Dan Goodin",
"date": "2024-05-02T12:36:57.000Z",
"description": "How and why nation-state hackers and cybercriminals coexist in the same router botnet.",
"image": "https://cdn.arstechnica.net/wp-content/uploads/2020/04/botnet6.jpg",
"logo": "https://cdn.arstechnica.net/wp-content/uploads/2016/10/cropped-ars-logo-512_480.png",
"publisher": "Ars Technica",
"title": "Hacker free-for-all fights for control of home and office routers everywhere",
"url": "https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/"
}
{
"url": "https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/",
"title": "Hacker free-for-all fights for control of home and office routers everywhere",
"description": "The post went on to report that while the January operation by the FBI put a dent in the infrastructure Pawn Storm depended on, legal constraints prevented the operation from preventing reinfection. What’s...",
"links": [
"https://arstechnica.com/security/2024/05/hacker-free-for-all-fights-for-control-of-home-and-office-routers-everywhere/"
],
"image": "https://cdn.arstechnica.net/wp-content/uploads/2020/04/botnet6.jpg",
"content": "<div>\n<p>The post went on to report that while the January operation by the FBI put a dent in the infrastructure Pawn Storm depended on, legal constraints prevented the operation from preventing reinfection. What’s more, the botnet also comprised virtual public servers and Raspberry Pi devices that weren't affected by the FBI action.</p>\n<p>“This means that despite the efforts of law enforcement, Pawn Storm still has access to many other compromised assets, including EdgeServers,” the Trend Micro report said. “For example, IP address 32[.]143[.]50[.]222 was used as an SMB reflector around February 8, 2024. The same IP address was used as a proxy in a credential phishing attack on February 6 2024 against various government officials around the world.”</p>\n<h2>Still going strong 8 years on</h2>\n<p>The botnet dates back to at least 2016 and has undergone multiple revisions over the years that have assembled a wide variety of hacking and proxy tools. The researchers wrote:</p>\n<blockquote><p>The malicious code consists of a collection of bash scripts, Python scripts, and a few malicious Linux binaries like SSHDoor. Functions in the bash scripts include the ability to retrieve specific information on the compromised hosts, including folders, system users, computing power, installed software, cryptocurrency wallets, passwords, and internet speed—valuable information to attacker groups. The collection of scripts also contains a script to install a SOCKS5 proxy with and without authentication, and a function to connect to the C&amp;C server to upload information and download additional components. On compromised VPS hosts or routers with sufficient computing power, additional components for mining the Monero cryptocurrency might also be present.</p>\n<p>A key element in the suite of scripts and malicious binaries is SSHDoor, a backdoored SSH daemon that allows attackers to steal legitimate credentials while users log in. It also makes persistent access possible, either through an SSH public key pair or via extra credentials that may be used by the malicious actor to log in. It is likely that the latter function was used by Pawn Storm to gain access to botnet’s nodes since its operator poorly protected their stolen assets. According to our research, the botnet operator used SSHDoor binaries that are available on public repositories while only minimally modifying the default credentials, making brute forcing the extra credentials in the backdoored SSH server an easy task for an adversary like Pawn Storm.</p>\n<p>Though the FBI advisory mainly talks about Ubiquiti EdgeRouters being part of the botnet, Trend Micro’s telemetry and our research found that more Linux based devices are part of the botnet. In fact, any Linux-based internet facing router could be affected, especially those that were shipped with default credentials. In particular, Raspberry Pi devices and VPS servers in datacenters that form an XMRig mining pool for Monero cryptocurrency are part of the same botnet.</p>\n<figure>\n <div>\n <p><a href=\"https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-1440x975.png\" target=\"_blank\">\n <img src=\"https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool.png\" srcset=\"https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool.png 2790w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-300x203.png 300w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-640x434.png 640w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-768x520.png 768w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-1536x1041.png 1536w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-2048x1387.png 2048w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-980x664.png 980w, https://cdn.arstechnica.net/wp-content/uploads/2024/05/vps-monero-mining-pool-1440x975.png 1440w\" />\n </a></p><div><p>\n Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024. We have evidence that the botnet operator controls more Monero mining pools aside from this one.</p><p>\n Credit:\n Trend Micro\n </p>\n </div>\n </div>\n <figcaption>\n <div>\n <p>\n Statistics on Monero mining by a pool of VPS servers that are part of the botnet that was partially taken down by the FBI in January 2024. We have evidence that the botnet operator controls more Monero mining pools aside from this one.<br />\n <span>\n Credit:\n Trend Micro\n </span>\n </p>\n </div>\n </figcaption>\n </figure>\n<p>A large number of the bots also have an open SOCKS5 server, which we later identified to be<a target=\"_blank\" href=\"https://github.com/rofl0r/microsocks\"> MicroSocks</a>, an open source SOCKS5 server software. Note that connections to these SOCKS5 servers may originate from anywhere. The port on which the SOCKS5 server is running is usually reported back to a C&amp;C server of the botnet that the FBI disrupted. In some cases, the actor used a slightly different adapted version of MicroSocks with both the listening address (all interfaces) and port (56981/tcp) predefined.</p>\n<p>The MicroSocks binary is commonly located at <i>/root/.tmp/local</i>. In late February 2024, the threat actors added authentication with a username and password in MicroSocks, recompiled it, and then reuploaded it to the bots.</p></blockquote>\n<p>The Trend Micro post was published on the same day that researchers from security firm Fortinet <a target=\"_blank\" href=\"https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices\">reported</a> the discovery of a new botnet that targets a 9-year-old vulnerability in DLink routers.</p>\n </div>",
"author": "",
"favicon": "https://cdn.arstechnica.net/wp-content/uploads/2016/10/cropped-ars-logo-512_480-300x300.png",
"source": "arstechnica.com",
"published": "2024-05-02T12:36:57+00:00",
"ttr": 141,
"type": "article"
}