Zyxel NAS, firewalls and LILIN DVRs and IP cameras conscripted into IoT botnets

A wide variety of Zyxel and LILIN IoT devices are being conscripted into several botnets, researchers have warned.

Users are advised to implement the provided firmware updates to plug the security holes exploited by the botmasters or, if they can’t, to stop using the devices altogether or to put them behind network firewalls.

OPIS

Zyxel devices affected

According to Palo Alto Networks’ Unit 42, botmasters using a new Mirai strain dubbed Mukashi are exploiting CVE-2020-9054, a pre-authentication command injection flaw, to compromise and “zombify” network-attached storage devices, firewalls, business VPN firewalls and unified security gateways.

CVE-2020-9054 is considered to be a critical vulnerability as it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.

The vulnerability was fixed in late February and Zyxel has provided firmware updates for the following affected devices that are still supported:

  • Network-attached storage devices (NAS326, NAS520, NAS540, NAS542)
  • Firewalls, business VPN firewalls and unified security gateways (ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, ZyWALL1100)

“Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported,” CERT/CC warned.

“Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device.”

Workarounds available for those who can’t update the firmware include:

  • Blocking access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device
  • Restricting access to vulnerable devices (i.e., not exposing them on the internet).

“Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page,” CERT/CC added.

LILIN devices affected

LILIN digital video recorders (DVRs) and IP cameras have been under attack for months, by botmasters of the Chalubo, FBot and Moobot botnets, say researchers from Qihoo 360’s Netlab team.

They are exploiting a number of security flaws, including hard-coded login credentials, command injection (via NTP and FTP) and arbitrary file reading vulnerabilities.

According to the researchers, firmware running on a dozen LILIN devices is affected:

  • DVRs (LILIN DHD516A, LILIN DHD508A, LILIN DHD504A, LILIN DHD316A, LILIN DHD308A, LILIN DHD304A)
  • IP cameras (LILIN DHD204, LILIN DHD204A, LILIN DHD208, LILIN DHD208A, LILIN DHD216, LILIN DHD216A)

The manufacturer has released firmware that fixes the flaws (2.0b60_20200207) back in February.

Users of all the affected devices, both Zyxel’s and LILIN’s, are advised to update their device firmware or implement available workarounds.

Don't miss