(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge (credit: Gammew)

Last week, Ars introduced readers to Hajime, the vigilante botnet that infects IoT devices before blackhats can hijack them. A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet's most advanced IoT botnet.

As previously reported, Hajime uses the same list of user name and password combinations used by Mirai, the IoT botnet that spawned several, record-setting denial-of-service attacks last year. Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems."

Not your father's IoT botnet

But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape. Wednesday's technical analysis, which was written by Pascal Geenens, a researcher at security firm Radware, makes clear that the unknown person or people behind Hajime invested plenty of time and talent.

Read 5 remaining paragraphs | Comments

 
BlackBerry Broadcom Wi-Fi Driver CVE-2016-2433 Arbitrary Code Execution Vulnerability
 
Sierra Wireless AirLink Raven ICSA-17-115-02 Multiple Security Vulnerabilities
 
OpenText Documentum Content Server CVE-2017-7221 Incomplete Fix Remote Code Execution Vulnerability
 
Lenovo System Update CVE-2015-8110 Local Privilege Escalation Vulnerability
 
Oracle Sun ZFS Storage Appliance Kit (AK) CVE-2017-3585 Remote Security Vulnerability
 
Oracle FLEXCUBE Enterprise Limits and Collateral Management Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3556 Remote Security Vulnerability
 

Enlarge / Sen. Ron Wyden of Oregon has pointed out a particular problem with Senate IT security: Senate staffers' ID cards are essentially fake smartcards, useless for two-factor authentication. (credit: Getty Images/Justin Sullivan)

When Congress held hearings following the breach of the systems of the Office of Personnel Management (OPM) in 2015, one of the issues that caused great consternation among lawmakers was that the OPM had failed to implement two-factor authentication for employees, particularly when using virtual private networks. Federal information security standards in place at the time called for strong user authentication for any federal information system, but the OPM hadn't figured out how to implement two-factor authentication principles—something users know (a password), plus something they have (which, in government, is typically a "smartcard" ID with digital authentication keys programmed onto a chip).

The OPM wasn't alone. While the Department of Defense began issuing Common Access Cards in 2008 to be used for two-factor authentication on DOD systems and to control physical access to DOD facilities, most of the civilian agencies of the US federal government still hadn't implemented their own smartcard (Personal Identity Verification, or PIV) systems at the time of the OPM breach.

What a real smartcard ID looks like: the DOD's Common Access Card.

What a real smartcard ID looks like: the DOD's Common Access Card. (credit: Department of Defense)

The Government Accountability Office repeatedly warned of gaps in federal information security, including the lack of two-factor authentication on critical federal systems like those at OPM. And during President Barack Obama's "cyber-sprint," many more agencies did roll out smartcards for authentication.

Read 2 remaining paragraphs | Comments

 
Hyundai Motor America Blue Link ICSA-17-115-03 Multiple Security Vulnerabilities
 
Joomla! CVE-2017-8057 Multiple Full Path Information Disclosure Vulnerabilities
 
OpenStack Keystone CVE-2017-2673 Security Bypass Vulnerability
 
Joomla! Core CVE-2017-7989 Arbitrary File Upload Vulnerability
 
cURL CVE-2016-8619 Remote Security Vulnerability
 

Setting up a Microsoft SQL server with a stupid simple password like sa for the sa user is hard. First of all, Microsoft implemented a default password policy that you need to disable. And then, when you finally Googled your way through how to disable it width:300px" />

A little bit odd is the distribution in TTLs. I am still trying to see if this is just an artifact in how I collected the data. Since MSSQL typically runs on Windows, I would expect the scans to originate from Windows systems that got compromised by this bot/worm. But instead, the majority of TTLs are just short of 255. So not even the Unix standard width:300px" />

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google Nexus Qualcomm Sound Driver CVE-2017-0586 Information Disclosure Vulnerability
 
Google Pixel Qualcomm Sound Codec Driver CVE-2016-10231 Privilege Escalation Vulnerability
 
Apache Hadoop CVE-2017-3161 Cross Site Scripting Vulnerability
 
IBM Domino CVE-2017-1274 Stack Buffer Overflow Vulnerability
 
Joomla! CVE-2017-7984 Cross Site Scripting Vulnerability
 
Joomla! CVE-2017-7983 Information Disclosure Vulnerability
 
QEMU CVE-2017-8112 Denial of Service Vulnerability
 
OpenSSL CVE-2017-3733 Denial of Service Vulnerability
 
HP OpenCall Media Platform Multiple Cross Site Scripting and Remote File Include Vulnerabilities
 
Linux Kernel CVE-2017-7477 Heap Buffer Overflow Vulnerability
 
QEMU CVE-2017-8086 Denial of Service Vulnerability
 
QuickHeal CVE-2015-8285 Denial of Service Vulnerability
 
CVE-2017-3162: Apache Hadoop DataNode web UI vulnerability
 
April 2017 - Confluence - Security Advisory
 
[SECURITY] [DSA 3834-1] mysql-5.5 security update
 
RETIRED: Oracle Primavera Products CVE-2017-3508 Remote Security Vulnerability
 
Oracle MySQL Connectors CVE-2017-3523 Remote Security Vulnerability
 
Internet Storm Center Infocon Status