Mirai Spawn Echobot Found Using Over 50Different Exploits(CSB19-05)SUMMARYEchobot is one of the many botnets that were based on the Mirai botnet. Echobot is nearly identicalto the Mirai malware. As part of the Mirai Botnet attack, Linux will be installed on the infecteddevice, as well as various applications such as a Web proxy and software used to carry out DDoSattacks. Echobot carries out attacks on a wider variety of targets and has software designed toexploit a large number of vulnerabilities. Once the victim's device has been compromised, itbecomes integrated into the Echobot botnet, an enormous group of infected devices that can beused in coordination to carry out many attacks. Targeting IoT devices and enterprise apps;It can cause target vulnerabilities in commonly used enterprise software;Designed to exploit at least 26 different vulnerabilities to carry out its attack;Attempts to target vulnerabilities in software used in enterprise devices such as VMwareNSX SD-WAN and Oracle WebLogic Server, apart from using common exploits in theWindows operating system and commonly used platforms;Designed to target businesses and higher-profile targets. However, home systems also arevulnerable;Echobot added new exploits that are older and remained unpatched by the vendor.Once a device has been compromised, it establishes a connection to the Echobot Command andControl server that sends an updated version of Echobot that is specific to the targeted system'soperating environmentThese botnets can be used for devastating attacks, leveraging the large number of infected devices.Some examples incorporate DDoS (Distributed Denial of Service) attacks, sending out massivequantities of spam email and money laundering operations. Computer users are advised to usestrong security software, update all firmware and software, and use strong passwords, particularlyon devices like routers that are commonly left unprotected relatively.ITMS ISSD Computer Security Incident Response Team2nd Floor ITMS Bldg Camp Crame, Quezon City723-0401 loc [email protected]

HOW IT WORKSThe malwarewould select arandom serveras proxyEstablishes tothe EchobotCommand &Control serverthat sends anupdatedversion ofEchobotScan randomIP addresses toexposed IPcameras andDVRs forremote accessand pts theprocess withanother proxyserverSECURITY RISKS Stealing of sensitive personal information and credentials;Can issue system commands, write, delete or read files or connect to databases.MITIGATIONS Regularly updating devices, firmware, software and changing access credentials; Configuring the router’s settings to deter potential intrusions; Disabling outdated and unused device components; Enabling the auto-update feature if the device allows it; Encrypting the connections that the devices use; Incorporating security tools that provide additional protection to home networks and devicesconnected to them; and Using only legitimate applications from trusted sources and stores.REFERENCE kITMS ISSD Computer Security Incident Response Team2nd Floor ITMS Bldg Camp Crame, Quezon City723-0401 loc [email protected]

LIST OF EXPLOITS USED BY MIRAI ECHOBOT:Asustor ADM 3.1.2RHG1Remote Code ExecutionUbiquity Nanostation5 (Air OS)0day Remote Command ExecutionAlcatel-Lucent OmniPCX Enterprise 7.1Remote Command ExecutionASMAX AR 804 gu Web Management ConsoleArbitrary Command ExecutionASUS DSL-N12E C1 345Remote Command ExecutionAsus RT56U Command InjectionAWStats Totals 1.14multisort - Remote Command ExecutionAWStats 6.0'configdir' Remote Command ExecutionAWStats 6.0'migrate' Remote Command Remote Command ExecutionBeckhoff CX9020 CPU ModuleRemote Code ExecutionBelkin Wemo UPnPRemote Code ExecutionBEWARD N100 H.264 VGA IP Camera M2.1.6Remote Code ExecutionCrestron AM/Barco wePresent WiPG/ExtronShareLink/Teq AV IT/SHARP PN-L703WA/OptomaWPS-Pro/Blackbox HD WPS/InFocusRemote Command InjectionCitrix SD-WAN Appliance 10.2.2Authentication Bypass / Remote CommandExecutionEnGenius EnShare IoT Gigabit Cloud Service 1.4.11Remote Code ExecutionDogfood CRM'spell.php' Remote Command ExecutionCTEK SkyRouter 4200/4300Command ExecutionNETGEAR R7000 / R6400'cgi-bin' Command InjectionITMS ISSD Computer Security Incident Response Team2nd Floor ITMS Bldg Camp Crame, Quezon City723-0401 loc [email protected]

Dell KACE Systems Management Appliance (K1000)6.4.120756Unauthenticated Remote Code ExecutionD-LinkOS-Command Injection via UPnP InterfaceOpenDreamBox 2.0.0 Plugin WebAdminRemote Code ExecutionFreePBX 2.10.0 / Elastix 2.2.0Remote Code ExecutionFritz!Box WebcmCommand InjectionGeutebruck 5.02024 G-Cam/EFD-2250'testaction.cgi' Remote Command ExecutionGitoriousRemote Command ExecutionHomeMatic Zentrale CCU2Remote Code ExecutionHootoo HT-05Remote Code ExecutionIris ID IrisAccess ICU 7000-2Remote Root Command ExecutionLinksys WAG54G2Web Management Console ArbitraryCommand ExecutionMitel AWCCommand ExecutionNagios 3.0.6'statuswml.cgi' Arbitrary Shell CommandInjectionNUUO NVRmini'upgrade handle.php' Remote CommandExecutionNETGEAR ReadyNAS Surveillance 1.4.3-16Remote Command ExecutionEyeLock nano NXT 3.5Remote Code ExecutionOP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1'welcome' Remote Command Executionop5 7.1.9Remote Command ExecutionHP OpenView Network Node Manager 7.50Remote Command ExecutionOracle Weblogic / Code ExecutionITMS ISSD Computer Security Incident Response Team2nd Floor ITMS Bldg Camp Crame, Quezon City723-0401 loc [email protected]

PHPMoAdminUnauthorized Remote Code ExecutionPlone and ZopeRemote Command ExecutionQuickTime Streaming Server'parse xml.cgi' Remote ExecutionRealtek SDKMiniigd UPnP SOAP Command ExecutionRedmine SCM Repository 0.9.x/1.0.xArbitrary Command ExecutionRocket Servergraph Admin CenterfileRequestor Remote Code ExecutionSAPIDO RB-1732Remote Command ExecutionSeowonintech DevicesRemote Command ExecutionSpreecommerce 0.60.1Arbitrary Command ExecutionLG SuperSign EZ CMS 2.5Remote Code ExecutionFLIR Thermal Camera FC-S/PTCommand InjectionSchneider Electric U.Motion Builder 1.3.4'track import export.php object id'Unauthenticated Command InjectionMiCasaVerde VeraLiteRemote Code ExecutionVMware NSX SD-WAN EdgeCommand InjectionWePresent WiPG-1000Command InjectionWireless IP Camera (P2P) WIFICAMRemote Code ExecutionXfinity GatewayRemote Code ExecutionYealink VoIP Phone SIP-T38GRemote Command ExecutionZeroShell 1.0beta11Remote Code ExecutionITMS ISSD Computer Security Incident Response Team2nd Floor ITMS Bldg Camp Crame, Quezon City723-0401 loc [email protected]

LG SuperSign EZ CMS 2.5 Remote Code Ex ecution FLIR Thermal Camera FC-S/PT Command Injection Schneider Electric U.Motion Builder 1.3.4 'track_import_export.php object_id' Unauthenticated Command Injection MiCasaVerde VeraLite Remote Code Execution VMware NSX SD -WAN Edge