| |
 |
 |
 |
|
|
|
|
Date: 25 March 2013
Click here for printable version
Background
In 2012, a "researcher" compromised about 420,000 devices (called the Carna Botnet) and used it to conduct a distributed scan of all public IPv4 addresses. Information about this research, also referred to as the Internet Census 2012, including the botnet, the results of the scan, and 9TB of scan data was released last week and is publicly available.
Impact
The data from this research has the potential to affect your organisation in the following ways:
- The results of a scan of your organisation's public IPv4 addresses are now public and may identify exploitable open ports or services, or facilitate further reconnaissance, and the identification of exploitable vulnerabilities on your organisation's network; and/or
- Your organisation may host one of the compromised devices that makes up the Carna botnet; which may be identified and used by other attackers to conduct further more serious attacks on your internal network; or against other parties.
Note that the logs do not contain any extra information than what someone (including yourself) could derive simply by scanning your organisation's public IPv4 addresses using nmap or similar. In fact for any party interested in conducting a targeted attack of your network, it would be arguably easier and better to do its own scan/reconnaissance of your network than to rely on the now dated results of the research. Note the data available for download is 568GB and when decompressed will be 9TB.
However, for indiscriminate attackers who do not care which organisations or systems they compromise, there is an increased risk that your organisation may be targeted for further attacks if an attacker assesses your organisation has exploitable vulnerabilities as a result of this publicly available information.
Recommended action
- Identify your level of exposure and what information may now be available to an external attacker as a result of this research. Perform a scan of your organisation's public IPv4 addresses and determine whether there are any exploitable weaknesses.
- Specifically, identify any devices that may either have been used in the Carna botnet, or which exhibit similar weaknesses and which could easily be compromised and used to facilitate further attacks on your network.
- Assess whether any identified device/host or service needs to be publicly visible/reachable. If not, block access to the device/host or service port through appropriate firewall rules. If so, do not allow login via default or weak credentials; and restrict access via a VPN.
- Check that operating system software on publicly reachable devices/hosts is up to date to prevent attempts to run exploits against possible vulnerabilities in this software.
- If a compromised device containing the Carna binary is detected, reboot it to remove the binary, then secure it as described above.
- Create an organisational policy to perform external vulnerability assessment of your public IP addresses on a regular basis. Due to the changing nature of most organisations' networks, devices and services, such a policy will help keep your organisation's publicly visible infrastructure more secure.
- As an AusCERT member, check that your organisation's IP network address range and domain names have been provided to AusCERT and are still correct/complete. IP address ranges must be CIDR notation only. This helps AusCERT provide proactive incident response services to you and detect attacks that may have already occurred on your network and systems.
What devices are affected?
Some of the devices that were compromised by this botnet include (but are not limited to):
- web cameras
- security cameras
- printers
- IPSec routers
- BGP routers
- x86 equipment with crypto accelerator cards
- industrial control systems
- physical door security systems
- Cisco/Juniper equipment.
Look for devices which have the following characteristics:
- The device has a public IPv4 address and is visible to the Internet
- The device may be embedded or not
- It has telnet (port 23/tcp) open
- It allows login using the default or weak username/password combinations, such as root:root; admin:admin and without passwords.
- Many are based on Linux and allow login to standard BusyBox
- If compromised and was used as part of the Carna botnet, it will also have a "readme” file containing an explanation of the project and contact email address
Background information about the research
The "researcher" who compromised about 420,000 devices and created the Carna botnet claims that:
- he had no intention of interfering with the default device operations and did not change passwords
- the uploaded binary was coded to run at the lowest possible system priority with a watchdog and stopped itself after a few days
- the binaries were not stored on the devices and would be lost on a reboot
- he left a small readme file on each compromised device which explained the project and included a contact email address
- he only scanned public IPv4 ranges even when he managed to infiltrate routers that would have allowed him to perform scans of internal networks (private reserved IPv4 ranges) or even allowed listening in on the traffic passing through the device.
Furthermore, while the researcher compromised only about 420,000 devices as part of the botnet, he identified around 1.2 million devices which were assessed to be insecure, ie had port 23/tcp open with default credentials for login.
|
|
|
|
 |
|
 |
|
|