ESET ha rilasciato un rapporto sulla vulnerabilità qui . I loro risultati principali sono:
- Linux/Moose targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers
- The threat is built for deep network penetration spreading past firewalls
- It can eavesdrop on communications to and from devices connected behind the infected router, including desktops, laptops and mobile
phones
- Moose runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses
- The operators use the infected devices to perform social network fraud on Twitter, Facebook, Instagram, Youtube and more
- Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet
- It affects Linux-based embedded devices running on the MIPS and ARM architectures
Se osserviamo come si diffonde, una dichiarazione è molto importante qui:
Last but not least, this threat spreads only by compromising systems
with weak or default credentials. No vulnerabilities are exploited by
the malware. Although downplayed by system administrators, this attack
vector has been effective at compromising a lot of Internet-connected
systems. As FireEye recently stated: “Brute forcing credentials
remains one of the top 10 most common ways an organization is first
breached.
Hanno elencato alcuni dei dispositivi che potrebbero essere interessati:
Fornitori di apparecchiature di rete
3Com, Alcatel-Lucent, Allied Telesis, Avaya, Belkin, Brocade, Buffalo, Celerity, Cisco,
D-link, Enterasys, Hewlett-Packard, Huawei, Linksys, Mikrotik, Netgear, Meridian, Nortel,
SpeedStream, Thomson, TP-Link, Zhone, ZyXEL
Fornitori di apparecchiature
APC, Brother, Konica / Minolta, Kyocera, Microplex, Ricoh, Toshiba, Xerox
venditori di Internet of Things
Hik Vision, Leviton
Indicatori di compromesso
If the credentials can be used via Telnet to login, if Telnet is
enabled by default and if a shell access can be obtained by typing sh
in the device’s prompt, then these are very good indicators that a
device could be infected by Linux/Moose.
Prevenzione
Change default passwords on network equipment even if it is not
reachable from the Internet. Disable Telnet login and use SSH where
possible. Make sure that your router is not accessible from the
Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If
you are unsure about how to perform this test, when you are at home,
use the "common ports" scan from the ShieldsUP service from GRC.com.
Make sure that the above mentioned ports receive a Stealth or Closed
status. Running the latest firmware available from your embedded
device vendor is also recommended.