What do an old log file, WordPress, “some” routers and some Italian ISP have in common?
Apparently nothing but let me explain from the beginning and you will notice how interesting elements can be discovered, starting from an insignificant event.
Friday, February 13, 2015: I was performing ordinary maintenance on my personal website and, while I was analyzing the statistics and logs, I noticed a “strange” recurring pattern:
Anyone who has ever run a WordPress can recognize in this extract of log, the classic behavior of a botnet that is performing a brute force attack against the administrative interface. In this case, the botnet was trying password combinations for the ‘admin’ username.
Generally I would have blocked those IP addresses by placing them in the black list of the WAF (Web Application Firewall) to resolve the problem.
In this case, however, a detail caught my attention: all IPs involved in the attack (they were thousands) came from similar ranges.
After resolving the IP I made another discovery, all ISPs involved were Italians (with two exceptions) and more specifically they were:
- Albacom, now BT-Italia
- BSI Assurance UK
Following the “white rabbit”, I found a detail bounding all IPs involved, every device was anAethra modem/router (BG1242W, BG8542W etc.).
All devices involved in the attack used (and they are still using) default credentials (blank: blank).
I cannot easily determine if attacks come directly from the devices or from PCs connected to them, but it is safe to think that routers are the main actors.
Overall it is possible to retrieve, directly from the web interface, the list of all connected devices, all IPs for which the device is NATting and various configurations.
The interface is vulnerable to various reflected XSS – for example in the username field of the login form, in the “source host ping” field, mtrace etc. etc. – CSRF and to HTML5 cross-origin resource sharing (partly mitigated).
GET /cgi-bin/AmiWeb?path=/&operation=login&username=%3Cscript%3Ealert%28%27vsec%27%29%3B%3C/script%3E&password=&transaction=vnFS4Ztv_3@ HTTP/1.1 Host: 93.61. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 X-Requested-With: XMLHttpRequest Connection: keep-alive
At this point I decided to understand the dimension of the botnet, using Shodan I was able to extract some additional information:
There are many Aethra devices around the world (~ 12,000), of which 10,866 are in Italy; filtering by type they are approximately 8000 Aethra Telecommunications PBX devices, the device involved in this specific attack.
The Aethra devices (including 104 models ranging from SIP / 2.0 to Aethra VegaX3_Series_4 Videoconference System) involve 254 unique providers around the world in fifty different countries.
Here the most relevant information:
Aethra modems are mainly exclusively sold for business contracts, so thanks to the WHOIS research, I was able to associate vulnerable devices to various organizations. This could facilitate targeted attacks towards those specific companies.
From our statistics we noticed that 70% of those devices are vulnerable (default credentials), therefore 8400 devices with a business contract (ADSL 1Mbps upload / optic fiber 10Mbps) bring a maximum output power raging from 8400 Mbps to 84000 Mbps, approximately 1-10 Gigabytes per second, that could be used for DDoS attacks.
All this before December 11, when Fastweb was made aware of the problem, then we have established a good relationship between Bug Hunter and Vendor that allowed the ISP to patch and fix the vulnerability in just 7 business days and allowed us to update our statistical data regarding the exposure and the total number of the devices.
It appears that our initial estimates values, (made using only Shodan) were reductive and partly wrong; Fastweb has about 40,000 devices, but only 4% had default credentials, for a total output power ranging between 1.7 and 17 Gbps (based on average optic fiber coverage).
Well done Fastweb!
Now the problem remains because all BT Italia devices that made our initial statistics, apparently, remained unchanged and still vulnerable.
I would like to prevent a question: “Why do you talk only now?”
Since the beginning of VoidSec, we have been promoting the responsible disclosure as the default method for vulnerability disclosure. The responsible disclosure minimizes the real risk for end users, giving time to dedicated departments to mitigate the vulnerabilities. I do not appreciate the full disclosure and if possible I’d like to act responsibly, according to our policy.
This is the timetable:
- February 13: recognition of brute force and subsequent investigations; one of mine resource contacts someone in BT-Italy.
- February 25: jrivett attempts to contact several times BT-Italia:
- sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
- sent email to the technical contact on record for Albacom.net, but this was ignored;
- tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted
- During this period, numerous articles came out about the botnet used by LizardSquad during the famous attacks on Xbox Live and Play Station Network
Krebs on Security wrotes:
“The malicious code that converts vulnerable systems into stresser bots is a variation on a piece of rather crude malware first documented in November by Russian security firm Dr. Web, but the malware itself appears to date back to early 2014.
In addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials. In this way, each infected host is constantly trying to spread the infection to new home routers and other devices.
The botnet is not made entirely of home routers; some of the infected hosts appear to be commercial routers at universities and companies, and there are undoubtedly other devices involved.”
I think that Aethra routers may have contributed extensively to the LizardSquad botnet and its expansion.
- March 2: the attacks are continuing, and BT has been warned about what happened.
- April 15: attacks are decreasing and then resuming during the following weeks.
- May 1: my resource has never received a response from BT-Italia.
- December 11: (11 months later) According to our policy, I decided to proceed with a full disclosure, I have no reason to believe that the attacks have been stopped but rather that, they are reduced their intensity and they have changed targets.
- December 11: Fastweb is made aware of the vulnerability, we agree some days of delay for the patch
- December 22: responsible disclosure and happy ending, at least for Fastweb
- January 27, 2016: following a constructive dialogue, Aethra Telecommunications released this press report.
Among subsequent developments:
- Firmware retrieval in order to research othervulnerabilitiesand developspecific exploits.
In the past we have already encountered BT Italia and it was not gone better: McDonald’s Wi-fi Login System