Old IoT Botnet has been Revived
Eniko Toth

Old IoT Botnet has been Revived

The Hello, Peppa! botnet and the /ept/out.php vulnerability were newly discovered attacks by our Attack Vector Miner. But now, it has recognized the reactivation of a forgotten IoT botnet. This botnet exploits the D-Link router DSL-2750B  remote command execution.

What does the attack look like? 

The discovered pattern is the /login.cgi?cli= as you can see below: 

In the case of the D-Link router DSL-2750B firmware 1.01 to 1.03, theres an option for remote command execution without authentication. But how? Here is the explanation from SecLists.org.
"Arguments of "cli" parameter are passed directly to a binary that will execute that particular given command; the complete list of commands available are inside "/etc/ayecli/ayecli.cli" file. (among them there's a creepy "system halt" that will shut down the router no matter what).
Arguments are passed in a way that ayecli -c 'command-here' so the way to escape is to close, add a command and close again to neutralize "$" substitution with ': ayecli -c 'command'; injection''

Old IoT botnet is waking up from its long sleep 

This D-Link router vulnerability was discovered in 2016, but nowtwo years laterit started spreading. The number of incidents significantly increased on July 21st 9 PM (UTC+02:00). Since then, the botnet has been active (as you can see in the graph):

Within seven days (July 18th through July 25th) there were almost 135.000 attacks from this IoT botnet. And here comes an important question 

Where are these attacks coming from? 

We analyzed the data and found that 75% of these IoT botnet attacks are coming from Egypt.

Besides Egypt, we can see three other big players: France, Italyand Japan. 

If you dont have website visitors/users from these countries, you can use the County Block option on the Dashboard in order to block all connections coming from these countries.

IoT devices are being targeted 

It looks like people should put more focus on their IoT (Internet of Things) devices. Why do we say that? Do you remember when an IoT botnet increased the number of the daily incidents by 200% and totally reorganized the hierarchy of the vicious countries last year? The importance of IoT device security was a significant topic at the Cloudfest exhibition too.

The number of detected attacks (135.000 within a week) shows you how efficiently BitNinja is protecting, so if you are using BitNinja Pro, you can lean back and relax. ;)  

Not using BitNinja Pro? What are you waiting for? Dont let attacks destroy your server! 

Share your ideas with us about this article

Previous posts

WAF rules explained - The BitNinja Ruleset
In a previous article, we’ve discussed the BitNinja safe minimum ruleset for the BitNinja WAF, that consists of 15 rules from the OWASP Core Ruleset, along with 6 rules from the BitNinja rules category. These rules can be safely enabled on the root location pattern on your server. In the BitNinja Ruleset, there are 5 categories: The Virtual Honeypot category, which has 2 rules The WordPress Backdoor Protection category with 3 rules The Drupal Remote Execution Protection, also with 3 rules The Modx Revolution Remote Execution Protection category with 1 rule The Scanner Detec...
New Zero-Day Vulnerability on the Horizon Again
After the “Hello, Peppa!”  zero-day botnet, our Attack Vector Miner detected another zero-day vulnerability.  Some vulnerable websites contain an /ept/out.php file, which can work as an open proxy. That’s why the attacker scans the /ept/out.php file. Let’s see an example:  The number of these attacks started to increase on July 11th, and as we can see in the diagram below, the botnet’s activity is slowing down now.  During the peak time, we experienced 15.000 attacks per day and most of them tar...