Cryptocurrencies
are currently by far
the most common
method that
criminals use to
monetise attacks
from the devices
they are taking over. Even if the router is patched, they often
remain vulnerable if the administrator
does not change default passwords.
against D-Link routers made by
MicroTik, among others, have been
observed. These routers use vulnerable
administrative interfaces which allow an
attacker to execute commands, or modify
configurations, without having to log in. From June 15, one of the botnets,
commonly named ‘Satori’, started to
add a new exploit to its arsenal. This
new exploit targets a vulnerability
common in D-Link routers that exposes
a web-based administrative interface
The Internet Storm Center registered
about 6,000 devices in Saudi Arabia
that were emitting traffic consistent
with such a compromise. It is likely that
not all of these devices are affected.
But, for example, over 300 of these
devices have probed the Internet Storm
Center’s sensors on port 23 alone
over the last month. This indicates that
Saudi Arabia and its neighbours are
affected by these attacks just like any
other country. The same vulnerabilities
can also be exploited to gain access to
corporate networks.
on port 8000. The use of this new port
can easily be used to identify affected
devices worldwide, or in Saudi Arabia
specifically. The graph accompanying
this article on the next page shows the
rise of scans for port 80, 8000 and
8080 from Saudi Arabia and some of its
neighbours over a period of 12 days.
Attacks against devices like this often
go unnoticed but can have severe
consequences. Cybercriminals can use
the access they have gained to these
devices to then intercept traffic passing
through it. More recently, a botnet known
as VPNFilter was discovered with a more
sinister mission.
Unlike most similar botnets, VPNFilter
cannot be simply removed from the
device with a reboot. Instead, the bot
alters the device’s firmware and will try
to re-infect the device after a reboot.
VPNFilter includes various modules
that can be used to sniff traffic passing
The Satori botnet
distribution by country
www.intelligentciso.com
|
Issue 03
85