A new variant of the Muhstik botnet has appeared, this time with scanner technology that for the first time can brute-force web authentication to attack routers using Tomato open-source firmware, researchers have found.
Researchers at Palo Alto Networks’ Unit 42 discovered the new variant harvesting vulnerable routers and IoT devices in early December, they reported in a blog post Tuesday. Muhstik, showing a wormlike self-propagating capability that can infect Linux servers and IoT devices, has been active since March 2018.
“The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing,” researchers wrote in their report. The default in this case being “admin:admin” and “root:admin.”
“We captured the Tomato router web authentication brute-forcing traffic,” wrote Palo Alto researchers who co-authored the blog Cong Zheng, Yang Ji and Asher Davila.
Tomato firmware, a Linux-based non-proprietary firmware known for its stability, VPN-pass through capability, and advanced quality-of-service control, is typically used by multiple router vendors and also installed manually by end users, researchers said.
To estimate the infected volume of devices, researchers searched for fingerprints of Tomato routers in Shodan, which identified more than 4,600 Tomato routers exposed on the internet and thus vulnerable to the latest Muhstik attack.
Indeed, botnet developers increasingly compromising IoT devices installed with the open-source firmware. Attackers see these devices as easy targets because they often lack regular security updates or maintenance patches necessary to keep devices secure against such attacks, researchers noted.
Muhstik in the past already demonstrated the capability to use multiple vulnerability exploits to infect Linux services, such as Oracle WebLogic, WordPress and Drupal, as well as routers.
The new variant also once again shows the inherent lack of security in the IoT landscape, with new attacks on these type of devices seeming to come so fast security researchers can barely keep up.
Earlier this week, a hacker published a list of credentials for more than 515,000 IoT devices online, obtaining them by scanning the internet for devices with exposed Telnet ports and then using default or easy-to-guess password combinations.
Unit 42 researchers published examples of the three modules of the Muhstik variant they discovered. The first module is a scanner that identifies WordPress installed on a server by sending a GET request to port 80/TCP or 8080/TCP, which are typical HTTP ports, they wrote in their report.
The second module, also a scanner, identified Webuzo solutions installed on a server by sending a GET request to port 2004/TCP, which is Webuzo’s default port for administration. The request uses the path /install.php since it is the Webuzo installer file and by default a server running Webuzo will respond successfully to that request, researchers wrote.
The third module targets Oracle Weblogic Server, sending a deserialization vulnerability found in the server to port 7001/TCP—the server’s default—that leads to a remote code execution. “This vulnerability can be exploited remotely and without previous authentication,” researchers noted.
Researchers said they did not discover malicious activities beyond the variant’s harvesting of vulnerable Tomato routers; however, the Muhstik botnet is mainly known to launch cryptocurrency mining and DDoS attacks in IoT bots to earn profit.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.