Beyond NBotLoader. A system is only as secure as its…

A system is only as secure as its weakest link, and the same applies to the field of Cybersecurity. While the most emphasis is commonly placed on security measures and precautions such as antivirus or endpoint technologies to secure end user systems, quite often, router security hasn’t been taken as seriously. This negligence in router security is leveraged by attackers and a hacked router can be a gateway to the end users system. Router security is often limited in configuration such as changing a default password to a strong one. However, and as we see with NBotLoader, this single measure can still fall short to an attack leveraging IoT exploits.

In our previous post, we discussed how vulnerable Netgear DGN routers (see BID 60281) could allow remote code execution. We mentioned how NewSky Security IoT Halo could impact and stop NBotLoader from wreaking havoc. In this follow up blog we will be going into a more holistic explanation of the issue.

Password, shmashword

Using an IoT scanning service (such as Shodan), it was possible to identify potentially vulnerable routers or other IoT devices by using search criteria.

In the above image, the IP address is masked. Using the discovered IP address, one could assess if the router was susceptible to Bug 60281. In further research, we were able to identify access (login) passwords for vulnerable routers even strong passwords were no match, and were easily identified using a specially crafted URL. In this case, the identified router was determined vulnerable, and the password was revealed:

Risk Assessment

We were curious to know roughly how many Netgear DGN1000 and DGN2200v1 routers were in use (not necessarily the number of vulnerable routers in use). To find out, we used an online IoT utility named Shodan. Shodan supports search queries; in this case, we searched for the model number routers respectively. We learned that Italy appears to be the top consumer of these routers:

Seriousness of the Situation

The vulnerability present in these model routers combined with the dangerous capability of NBotLoader makes this a credible and serious threat. Once the router is compromised, an attacker could capture data moving through the router, and (static) antivirus or other security software may be inadequate to stop it. This will make the breach as serious as one created by a password stealer or a Remote Access Trojan (RAT).

Remediation

Therefore, we urge consumers with Netgear routers of the following to take immediate steps to prevent data loss or worse:

• Netgear DGN1000 with Firmware 1.1.00.48 (and prior)
• Netgear DGN2200v1

Netgear released updates to the Firmware for DGN1000 the update is effective against this Remote Authentication Bypass Vulnerability.

• DGN1000 Firmware
  http://www.netgear.com/search-netgear.aspx?q=dgn1000%20firmware

According to Netgear, DGN2200v1 is no longer supported. Consumers should replace this model with Netgear DGN2200v3 or DGN2200v4 as these routers should not be affected. In short sample set testing, DGN2200v3 and DGN2200v4 routers did not give an indication that the vulnerability was present.

Ankit Anubhav

Principal Researcher, NewSky Security