Written by Jan Otte, Tuesday 17 April 2018
Some time ago there has been questions about impact of IoTroop/Reaper Malware on our devices. A week ago there has been another inquiry. As it seems to be an (unexpected) pattern, this short information announcement is given to public.
If you are really short of time, the basic information is:
Now we can talk about the IoTroop/Reaper a little bit more.
First, please note there are multiple variants of the malware. In fact, there are even a multiple (different) malware samples with similar names.
The story is as usuall with successfull malware. Somebody writes a malware that is able to infect a lot of devices, bind these to the control server and use it to whatever purpose. After some time, the botnet is discovered, control servers killed and the author (or somebody else because now the technique is known) writes another malware. Usually, the latter, the better.
It is business these days. Botnets are for sale or for hire. Do you want a botnet to DDOS your competition? Do you want it to bring a site down? Do you want it for political reasons? The purpose is not important, what is important is that you can buy it. That is the reason why so many people write malware these days. Money. And fun (to them). But you know, money comes first.
On the other side, you do not want to be the attacking party, right? These days, some countries are starting to take DDOS and other attacks seriously and you probably do not want to answer why 10,000 of your devices were taking part in a cyber-attack attributed to a foreign country because the purpose was to hack military server. At present, showing your devices were hacked is sufficient (though still sounding very incompetent). In future, not securing the devices can mean penalties.
Now, in Czech Republic we say let's pour a pure wine and the meaning is we are going to talk truth not marketing. No system is inhackable.It is valid for any system, even for the network-disconnected ones (that is a very specific topic we are not going to discuss today).
That said, looking at the public security disclosures for our routers (e.g. CVE, link below), you find none.
Why? Because there are too few routers out there? We produce 30 to 50 thousand new routers a year so... no. Because our products are hacker-proof? No, there is no such thing. It is simply because we usually find a lot of stuff ourselves during testing. Because we are very fast with fixing security problems, not caring it they come from the wild or from the academic world. Because we are in control of the operating system of our routers and we can fix what we need to. Because we are monitoring possible sources.
I am not writing this so that you can lie down comfortably. I am only saying we are doing our part. We are getting the devices ready for your part.
If you don't do your part, you throw away all our hard work and expose the devices to the threats out there.
What threats? I here you asking. I am in private APN. No threats there.
Threats are anywhere. One infected laptop connected to LAN side of the router with one simple malware does very trivial act - tries to login via ssh/https to a default gateway (router) with a few default passwords combinations. Even if you managed to change the default password to something else, don't forget the next thing to try is brute-force password attack. If your password is not strong enough, it will be found sooner or later. And your router would be compromised.
Well, I hope I scared you enough to change your password to something save. What is something save? Something that has a chance to avoid being guessed for a long time. Use multiple characters (8 is minimum). Don't use dictionary words and dates. Mix lower and upper case. Add some numbers into the mix.
There are a lot of good password practices. You can for example remember a sentence or a few of them and use first letters of the words while mixing lower/upper and adding numbers. You can allow connection via ssh key only (and secure that key!) and disable web login. You can do a lot of stuff.
And one more thing: never allow ssh access for somebody else. One very important part to remember is that we are building routers and we secure them as routers. Our products are not multi-user servers secured on a per-user level. You are fine to add additional acounts as long as you don't give out ssh access. Once you give ssh access to the third party, you break the security model and even if basic security is naturally there, a capable attacker will find her way...
And now something about the threats :-)
In August 2016 a malware caller Mirai was found (link to Wikipedia below). It was capable of infecting some Linux-based devices and used a pre-defined set of username+passwords to log into the devices.
The Mirai was good with hacking into lot of sensor-based devices, like IP cameras etc. Because you usually don't even know these devices has something like username+password, and because you usually don't update the firmware of these devices, a lot of them are vulnerable even today.
Mirai was very successfull and you can read about multiple attacks performed by its botnets. Because of the nature of the infection mechanism (the devices stays vulnerable because of no firmware update), the usual practice to get these botnets down is to find and shutdown control centers.
Mirai was a source of inspiration for other malwares.
One of these malwares is the IoTroop malware. There is a good reading on IoTroop done by Checkpoint linked below this article.
The IoTroop (or at least some of its variants) was able to infect some devices from various vendors like Avtech, JAWS, NetGear, VACRON, WIFICAM, DLINK, Linksys.
At start, the IoTroop/Reaper malware has been focused on a few security vulnerabilities of specific devices (vendors listed above, details in the analysis articles linked below). Later on, further advanced abilities of the malware were found, differing across various variants, integrating techniques from another malwares.
Because of the multiple variants, it is not clear how many devices from which vendors are affected. While some of the malware samples analysis reveals infection techniques that are clear, there are apparently other vedor's devices vulnerable.
I was asked why we have done no information bulletin. The reason for not publishing is because at the moment, there is no known mechanism how the main variant of IoTroop/Reaper can infect our device running actual version of our OS. Given there are IoTroop/Reaper variants that may integrate Mirai's password guessing, it is possible that if you have not changed the default password (which is a security flaw during device installation!), it may be able to login into the device. Even so, the known (the well-described) infection mechanisms of the IoTroop malware should not work on our custom OS even if login to the device is successfull (log in yes, infect no). But note that there can be another variants we do not know about and we really do not build uninfectable OS - today it is just a coincidence and a matter of time.
To sum up, if you adhere to some reasonable password policy on your devices, routers running actual version of Conel OS should not be vulnerable to the IoTroop/Reaper malware.