In this section, we analyze two vulnerabilities, namely, the CVE-2016-10372 vulnerability32 in the Eir D1000 router and the backdoor vulnerability in Netis routers. Except UPnP-related vulnerabilities described in section 4.4.3 Malicious Behaviors Targeting UPnP Vulnerabilities, the CVE-2016-10372
vulnerability was exploited most frequently. The backdoor vulnerability in Netis routers exerted a severe impact when it was initially disclosed.
Vulnerability in the Eir D1000 Router
Eir is an Irish company. There is only one vulnerability (CVE-2016-10372) recorded in the NVD for the Eir D1000 router1. This vulnerability exists because the Eir D1000 router does not properly limit the TR-064 protocol, which allows attackers to execute arbitrary commands via port 7547.
In this section, we analyze the threat trend related to the Eir D1000 router according to the data captured by NSFOCUS’s threat hunting system. The following subsections analyze these log messages from the aspects of the attack source, attack incidents, and sample download address.
Finding 4: 23% exploits of the CVE-2016-10372 vulnerability occurred in Brazil. Attackers became active in October 2019. The global distribution of sample download addresses was consistent with that of attack sources.
- Attack Sources
Upon deduplication of source IP addresses indicated in capture logs, we found that about 900 IP addresses exploited the CVE-2016-10372 vulnerability. As shown in Figure 3-6, Brazil housed the most source IP addresses that exploited this vulnerability (23%).
- Attack Incidents
We analyzed attack incidents recorded in log data of the Eir D1000 router. Here, all messages about one IP address in one day add up to an attack incident. Figure 3-7 shows the monthly number of attack incidents. As shown in Figure 3-7, exploits became active in October 2019.
- Sample Download Addresses
After deduplication, we got 860 valid sample download addresses. Figure 3-8 shows the global distribution of sample download addresses related to the vulnerability in the Eir D1000 router. As shown in the figure, Brazil and Iran hosted the most sample download addresses, which coincided with the
distribution of attack source IP addresses. We figured that attackers launched attacks from these countries and used compromised devices to spread malicious samples.
Backdoor in Netis Routers
The backdoor in Netis routers was discovered by security researchers from Trend Micro in 2014, who claimed that over 2 million Netis routers were affected. Five years later, related exploits could still be captured by NSFOCUS’s threat hunting system every day in 2019. Therefore, we deem it necessary to conduct a detailed analysis of the exposure and exploits of the backdoor.
The backdoor of Netis routers provides UDP services via port 53413 and uses a hard-encoded password. Therefore, when a vulnerable device is exposed on the Internet, attackers could easily log in to this device and execute arbitrary code.
Finding 5: Compared with the situation five years ago, the risk of backdoor exploits facing Netis routers has greatly reduced. There were less than 3000 Netis routers exposed with this backdoor, but attackers have not stopped exploiting this vulnerability.
Exposed Netis Routers with the Backdoor
To figure out the number of vulnerable devices around the world, we surveyed all Netis routers with a backdoor exposed on the Internet.
Unless otherwise indicated, all data provided in this section was obtained from a single-round global recon conducted in August 2019.
China hosted the most (approximately 3000) Netis routers with a backdoor, distancing itself from all other countries.
The survey data shows that the number had reduced greatly to 3000 in 2019 from 2 million in 2014 when the backdoor was first detected. As shown in Figure 3-9, though 89% of vulnerable Netis routers were exposed in China, the actual number was small. We inferred that the reason why most vulnerable routers were in China was that Netis is a Chinese vendor mainly oriented to the domestic market. According to the data from the Netis router scanning project , the number of vulnerable devices in China was 1028 on October 18, 2019. The deviation occurred probably due to different locations for scanning IP addresses, but we did not put energy into looking into the real causes.
We also verified that all routers could be successfully logged in, but we did not verify whether command execution could be conducted after successful login.
To be continued.