ESET ha rilasciato un rapporto sulla vulnerabilità qui . I loro risultati principali sono:
- Linux/Moose targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers
- The threat is built for deep network penetration spreading past firewalls
- It can eavesdrop on communications to and from devices connected behind the infected router, including desktops, laptops and mobile phones
- Moose runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses
- The operators use the infected devices to perform social network fraud on Twitter, Facebook, Instagram, Youtube and more
- Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet
- It affects Linux-based embedded devices running on the MIPS and ARM architectures
Se osserviamo come si diffonde, una dichiarazione è molto importante qui:
Last but not least, this threat spreads only by compromising systems with weak or default credentials. No vulnerabilities are exploited by the malware. Although downplayed by system administrators, this attack vector has been effective at compromising a lot of Internet-connected systems. As FireEye recently stated: “Brute forcing credentials remains one of the top 10 most common ways an organization is first breached.
Hanno elencato alcuni dei dispositivi che potrebbero essere interessati:
Fornitori di apparecchiature di rete
3Com, Alcatel-Lucent, Allied Telesis, Avaya, Belkin, Brocade, Buffalo, Celerity, Cisco, D-link, Enterasys, Hewlett-Packard, Huawei, Linksys, Mikrotik, Netgear, Meridian, Nortel, SpeedStream, Thomson, TP-Link, Zhone, ZyXEL
Fornitori di apparecchiature
APC, Brother, Konica / Minolta, Kyocera, Microplex, Ricoh, Toshiba, Xerox
venditori di Internet of Things
Hik Vision, Leviton
Indicatori di compromesso
If the credentials can be used via Telnet to login, if Telnet is enabled by default and if a shell access can be obtained by typing sh in the device’s prompt, then these are very good indicators that a device could be infected by Linux/Moose.
Prevenzione
Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible. Make sure that your router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If you are unsure about how to perform this test, when you are at home, use the "common ports" scan from the ShieldsUP service from GRC.com. Make sure that the above mentioned ports receive a Stealth or Closed status. Running the latest firmware available from your embedded device vendor is also recommended.
Leggi altre domande sui tag router vulnerability exploit zero-day