New botnet malware exploits two zero-days to infect NVRs and routers

[elvisimprsntr]

CVE's nor articles disclose which vendor(s) are affected. Although, previous variants of the Mirai bonet targeted TP-Link and Trend Micro products.

New botnet malware exploits two zero-days to infect NVRs and routers

A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution (RCE) vulnerabilities to infect routers and video recorder (NVR) devices.

www.bleepingcomputer.com

https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days

An internet-wide scan revealed that the targeted devices were linked to a specific NVR manufacturer, who acknowledged the existence of a new zero-day exploit actively exploited in the wild. The botnet also targets a popular wireless LAN router, exploiting another zero-day RCE flaw, with security updates expected in December 2023.

 

[CanCuba]

CVE's nor articles disclose which vendor(s) are affected. Although, previous variants of the Mirai bonet targeted TP-Link and Trend Micro products.

New botnet malware exploits two zero-days to infect NVRs and routers

A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution (RCE) vulnerabilities to infect routers and video recorder (NVR) devices.

www.bleepingcomputer.com

https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days

This is why I run OpenWRT on all my routers and switches. Nothing is 100% secure but sure better than factory firmware.

 

[bigredfish]

Greaatttt

 

[elvisimprsntr]

I ran DD-WRT, then OpenWrt (formally LEDE), on consumer routers longer than I can remember.
I got tired of the DD-WRT perpetual beta status, then Marvell stopped updating their proprietary drivers for the Linksys WRT series.

Bottom line, OEMs have no incentive to continually update firmware for security vulnerabilities, unless they have a recurring extortion fee revenue stream after the product is sold.

In 2015, I jumped to enterprise class open source pfSense and enterprise class access points. pfSense basic config can be running in less than 5 minutes, but is more powerful and runs on any X86_64 hardware, including virtualized or cloud. A used Protectli Vault fanless Mini PC can be fetched for less than $100 off evilBay. Protectli: Trusted Firewall Appliances with Firmware Protection

pfSense® - World's Most Trusted Open Source Firewall

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

pfsense.org

1. NAT, DHCP, DNS. DynDNS, etc
2. IDS/IPS
3. VPN (OpenVPN, IPSec, L2TP, Tailscale, WG)
4. NTP Stratum 0 Source (GPS, PPS)
5. All config information stored in a single XML file which automagically migrates between updates and easily restored in less than 5 minutes.

 

[Mast3r0fN0n3]

I ran DD-WRT, then OpenWrt (formally LEDE), on consumer routers longer than I can remember.
I got tired of the DD-WRT perpetual beta status, then Marvell stopped updating their proprietary drivers for the Linksys WRT series.

Bottom line, OEMs have no incentive to continually update firmware for security vulnerabilities, unless they have a recurring extortion fee revenue stream after the product is sold.

In 2015, I jumped to enterprise class open source pfSense and enterprise class access points. pfSense basic config can be running in less than 5 minutes, but is more powerful and runs on any X86_64 hardware, including virtualized or cloud. A used Protectli Vault fanless Mini PC can be fetched for less than $100 off evilBay. Protectli: Trusted Firewall Appliances with Firmware Protection

pfSense® - World's Most Trusted Open Source Firewall

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

pfsense.org

1. NAT, DHCP, DNS. DynDNS, etc
2. IDS/IPS
3. VPN (OpenVPN, IPSec, L2TP, Tailscale, WG)
4. NTP Stratum 0 Source (GPS, PPS)
5. All config information stored in a single XML file which automagically migrates between updates and easily restored in less than 5 minutes.

Thanks for this post, did a little research, just enough to be "infected" by this. Wondering if:
Your basic topology "simplified" is something like - internet>modem>device>router or internet>modem>router>device or other of course.
Also, to be a bit more of a pest - does it effect thru put of speed and/or thru put of remote viewing.
Understand if you wish not to answer publicly, again, thank you for posting.

 

[elvisimprsntr]

Thanks for this post, did a little research, just enough to be "infected" by this. Wondering if:
Your basic topology "simplified" is something like - internet>modem>device>router or internet>modem>router>device or other of course.
Also, to be a bit more of a pest - does it effect thru put of speed and/or thru put of remote viewing.
Understand if you wish not to answer publicly, again, thank you for posting.

Glad to help. I am by no means an expert, but have managed to learn quite a bit over the years through trial and error, and help from others.

This might be more information than you wanted, but just to be as thorough as I can in case others may want to follow along. So here it goes....

In general, opening ports on a firewall to access cameras or other services is a recipe for disaster. The best approach is to host your own VPN service, so you can access your entire network, including embedded devices which you cannot install a VPN client. This is different than the so called "privacy" VPN services which claim to protect your privacy, which is not really true. All you are doing in that case is handing over all your data to a third party, potentially off shore, who may be subjected to subpoenas. There certainly are use cases for privacy VPNs, e.g. if you live a country which bans access or monitors activity. I simply ignore all the YouTube shills who promote privacy VPNs in exchange for a kickback.

Ideally you put your ISPs kit in bridge mode so pfSense gets a public IP. The only caveat is if your ISP also provides IPTV or VoIP services.
Remote VPN access can still be made to work without a public IP address using Tailscale, but it is not ideal.

Tailscale MESH VPN is a data plane on top of Wiregaurd VPN, which uses a coordination server to establish P2P communication. Tailscale uses WG GO, so there is a slight performance hit over a straight WG implementation, but nothing that I notice when remotely viewing cameras or accessing my network. The advantages of Tailscale are , it uses any number of existing identity manager mechanisms (Google, Apple, Github, etc.). Tailscale will traverse any levels of NAT and CGNAT, thus it does not necessarily need a public IP, unlike a straight WG VPN which requires at least one node to have a public IP and your WG VPN will be inaccessible if that node is down.

Tailscale has clients for every OS platform on the planet, has a free tier for up to 100 nodes, allows you to select exit nodes to obfuscate your IP address when accessing content remotely. If you go the pfSense route, I recommend Christian McDonald tutorial for Tailscale.

As far as pfSense performance, it all depends on the bandwidth you are paying for and the kit you run it on. In my case, I pay for 300mbps symmetric (actual results are 375mbps). There is really no discernible difference when I run a speed test directly from the ISPs modem vs from a wired client on my home network behind pfSense.

As mentioned, there is a slight performance hit when using Tailscale to access your home network remotely over other self hosted VPN implementations.






Links:
pfSense: pfSense - World's Most Trusted Open Source Firewall
Tailscale: Tailscale
Christian McDonald Tailscale config tutorial: Tailscale on pfSense Software!
How to connect a Stratum 0 GPS+PPS source to pfSense for less than $50: GitHub - elvisimprsntr/pfsense-ntp-gps: pfSense NTP GPS Server
Protectli Vault Appliances: Protectli: Trusted Firewall Appliances with Firmware Protection

 

[Mast3r0fN0n3]

Glad to help. I am by no means an expert, but have managed to learn quite a bit over the years through trial and error, and help from others.

This might be more information than you wanted, but just to be as thorough as I can in case others may want to follow along. So here it goes....

In general, opening ports on a firewall to access cameras or other services is a recipe for disaster. The best approach is to host your own VPN service, so you can access your entire network, including embedded devices which you cannot install a VPN client. This is different than the so called "privacy" VPNs services which claim to protect your privacy, which is not really true. All you are doing in that case is handing over all you data to a third party, potentially off shore, who may be subjected to subpoenas. There certainly are use cases for privacy VPNs, e.g. if you live a country which bans access or monitors activity. I simply ignore all the YouTube shills who promote privacy VPNs in exchange for a kickback.

Ideally you put your ISPs kit in bridge mode so pfSense gets a public IP. The only caveat is if your ISP also provides IPTV or VoIP services.
Remote VPN access can still be made to work without a public IP address using Tailscale, but it is not ideal.

Tailscale MESH VPN is a data plane on top of Wiregaurd VPN, which uses a coordination server to establish P2P communication. Tailscale uses WG GO, so there is a slight performance hit over a straight WG implementation, but nothing that I notice when remotely viewing cameras or accessing my network. The advantages of Tailscale are , it uses any number of existing identity manager mechanisms (Google, Apple, Github, etc.). Tailscale will traverse any levels of NAT and CGNAT, thus it does not necessarily need a public IP, unlike a straight WG VPN which requires at least one node to have a public IP and your WG VPN will be inaccessible if that node is down.

Tailscale has clients for every OS platform on the planet, has a free tier for up to 100 nodes, allows you to select exit nodes to obfuscate your IP address when accessing content remotely. If you go the pfSense route, I recommend Christian McDonald tutorial for Trailscale.

As far as pfSense performance, it all depends on the bandwidth you are paying for and the kit you run it on. In my case, I pay for 300mbps symmetric (actual results are 375mbps). There is really no discernible difference when a run a speed test directly from the ISPs modem vs from a wired client on my home network behind pfSense.

As mentioned, there is a slight performance hit when using Tailscale to access you home network remotely over other self hosted VPN implementations.



View attachment 178604


Links:
pfSense: pfSense® - World's Most Trusted Open Source Firewall
Tailscale: Tailscale
Christian McDonald Tailscale config tutorial: Tailscale on pfSense Software!
How to connect a Stratum 0 GPS+PPS source to pfSense for less than $50: GitHub - elvisimprsntr/pfsense-ntp-gps: pfSense NTP GPS Server
Protectli Vault Appliances: Protectli: Trusted Firewall Appliances with Firmware Protection

wow wow wow, thank you so much this great . Absolutely not more info, absolutely great great great! Exactly the topography I want to do minus the location of the switch. Thank you a hundred times over, you are the man .

 

[CanCuba]

I ran DD-WRT, then OpenWrt (formally LEDE), on consumer routers longer than I can remember.
I got tired of the DD-WRT perpetual beta status, then Marvell stopped updating their proprietary drivers for the Linksys WRT series.

Bottom line, OEMs have no incentive to continually update firmware for security vulnerabilities, unless they have a recurring extortion fee revenue stream after the product is sold.

In 2015, I jumped to enterprise class open source pfSense and enterprise class access points. pfSense basic config can be running in less than 5 minutes, but is more powerful and runs on any X86_64 hardware, including virtualized or cloud. A used Protectli Vault fanless Mini PC can be fetched for less than $100 off evilBay. Protectli: Trusted Firewall Appliances with Firmware Protection

pfSense® - World's Most Trusted Open Source Firewall

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

pfsense.org

1. NAT, DHCP, DNS. DynDNS, etc
2. IDS/IPS
3. VPN (OpenVPN, IPSec, L2TP, Tailscale, WG)
4. NTP Stratum 0 Source (GPS, PPS)
5. All config information stored in a single XML file which automagically migrates between updates and easily restored in less than 5 minutes.

I've been hearing about pfSense for forever and finally got around to watching some YouTube videos today. Looks like I'll be making the switch from OpenWRT in the future. Very easy to setup and a slick web interface. Not to mention how easy WAN failover and load balancing is to set up!

 

[seccamusr1]

I got tired of the DD-WRT perpetual beta status, then Marvell stopped updating their proprietary drivers for the Linksys WRT series.

I'm using a Linksys WRT32X on a fairly recent OpenWRT build as an access point. FINALLY everything works as far as 160MHz on 5ghz provided one of the few compatible frequencies is selected. Getting 600-800mbps on devices that are 2x2 link or better (not gonna happen on 99.99% of handheld cellular devices or tablets) on a couple of laptops that have hardware that can take advantage of it. Luckily the area I need to cover is small enough that just the one router is enough aside from my workshop which gets its connection from ethernet over powerline baluns and is on a separate subnet. It has taken me 2 years to figure out exactly what settings the linksys likes though!
For those who wish to use either the WRT32X or WRT3200ACM on 160MHz, you MUST select channel 52 or one of the two other supported channels, forget about using WPA3 security or roaming between multiple APs, leave the radio power on auto, and make sure to select your country code when setting up the 5GHz.

2. IDS/IPS
4. NTP Stratum 0 Source (GPS, PPS)

Woah, that's pretty dang cool! I was toying with the idea of using GPS for date/time stuff a while back. Neat to hear someone else using that for accurate time!
I'd like to switch my Zimaboard router over to pfSense in the near future. Out of curiosity, does pfSense host a radius server or something for the IDS/IPS or is it access point agnostic?
Been thinking about setting up something like that recently so I can do a legit captive portal splash forcing those pesky phones with rolling mac addresses to enter a human readable name for easier identification since no one listens when I ask them to set the mac to static for that network.

Do I think I need that level of security? naah.... just would like to completely overkill the home wireless security. Not sure it will play well with all my devices though. Probably gonna have to retire the WRT32X for that though.

 

[elvisimprsntr]

Out of curiosity, does pfSense host a radius server or something for the IDS/IPS or is it access point agnostic?

pfSense has system to install additional supported packages.

1. Snort, pfBlockerNG, Suritata
2. freeradius3
3. GPS+PPS GitHub - elvisimprsntr/pfsense-ntp-gps: pfSense NTP GPS Server

 

[bigredfish]

modem>>>Firewalla-appliance>>>>Router

I'm sure you advanced guys will frown upon it, but for $350 I'm pretty impressed with the Firewalla security appliance, and it is just about as simple to install and manage as you could ask for.
Firewalla: Cybersecurity Firewall For Your Family and Business

Of course I also kept my Netgear R8000 router which runs OpenVPN and Bitdefender and I have no ports opened.