Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fbot malware targets HiSilicon DVR/NVR Soc devices

Experts at 360Netlab observed the Fbot bot infecting a large number of HiSilicon DVR/NVR Soc devices. Since February 16, 2019, security experts at 360Netlab observed a large number of HiSilicon DVR/NVR Soc devices were infected with an updated version of the Fbot bot. The Fbot malware was first discovered by 360Netlab researchers, according to the […]

Fbot malware infections

Experts at 360Netlab observed the Fbot bot infecting a large number of HiSilicon DVR/NVR Soc devices.

Since February 16, 2019, security experts at 360Netlab observed a large number of HiSilicon DVR/NVR Soc devices were infected with an updated version of the Fbot bot.

The Fbot malware was first discovered by 360Netlab researchers, according to the experts, the root problem might be a specific OEM application running on top of the HiSilicon devices.

Scanning the Internet for the IP banner information the experts determined the models of devices that were infected that appear to belong to HiSilicon DVR/NVR Soc device family. The experts only observed a few different camera brands as a number of camera manufacturers OEM HiSilicon DVR/NVR Soc device.

The experts discovered a total of 24528 infected IP addresses worldwide.

Fbot malware infections

Below the list of infected camera’s CPU models:

   8262 bigfish
   3534 hi3520d
    383 godarm
    302 godnet
     78 hi3535
      8 Hisilicon Hi3536DV100 (Flattened Device Tree)

The Fbot implements a multiple stage infection process, experts were able to analyze Fbot samples and some payloads, but they annunced the capture of key Exploit Payload only while I was writing this post.

Experts pointed out the attackers exploited the weak security implementation of DVRIP protocol made by the vendor. The attackers set up telnet backdoor and inject Fbot botnet on the target devices.

Fbot malware infections 2

“First, the device that is infected with Fbot scans  TCP: 80, 81, 88, 8000, 8080 ports by issuing basic HTTP requests. When a target device returns the matching characteristics, Fbot will report the IP and port to its Reporter (185.61. 138.13:6565).” reads the analysis published by 360Netlab.

After that, Fbot Loader (185.61.138.13) logs in to the target device web port through the device default password “admin/empty password”. If the target device responses, Fbot Loader uses the device default password “admin/tlJwpbo6” to log in to the dvrip port. (TCP: 34567).”

Performing Fuzz Testing, the researchers were able to obtain the Fbot Downloader sample and the Fbot download URL.

http://185.61.138.13:8080/fbot.arm5.u
http://185.61.138.13:8080/fbot.arm7.u

The downloader sample is delivered on the 9000 port through command line (echo –ne XXXXXX > downloader), downloads and execute it through the HTTP protocol.

The bot uses two different layers of encryption and decryption codes to prevent the code from being analyzed.

The experts explained that there are five DDoD attack vectors of this Fbot variant.

Further details, including IoCs are reported in the analysis published by
360Netlab.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]