The Death botnet grows targeting AVTech devices with a 2-years old exploit
25.7.2018 securityaffairs BotNet
A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.
A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.
AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.
EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.
The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.
Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.
The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.
“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”
AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.
At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.
Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.
The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.
“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”
Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.
Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.
“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”