Remember this blog circa 2014?
The article highlights a backdoor coded into the Netis Router family that has been heavily abused. Here is an update on the continued use of the backdoor and one of the TippingPoint Digital Vaccine (DV) filters you may have seen firing in large numbers as of late.
DV filter 32391, which checks for attempts to scan for this backdoor, still fires in massive amounts on detection of backdoor communication attempts. It has essentially no false positive potential, and per our reporting dashboard known as ThreatLinQ, has fired approximately 2.9 million times since the filter was released in August of 2016. However, considering these statistics are based on approximately 5% of customer filter hits, that number can be extrapolated out to more than 57 million events across our customer base.
We’ve analyzed a number of these pcaps from the TippingPoint devices, and all are true positives to date as expected. The following is a lookup on the domain associated with one of the highest frequency malicious scanning IPs observed in our Lighthouse deployment:
Next follows a screenshot from one of the scan attempts as viewed in Wireshark:
Of interest is the fact that for the nearly 50,000 events that we saw on a single IPS in the last week, the huge majority originated from the UK at 40,000 hits, followed by China and North Korea making up the majority of the remainder. This data can be retrieved directly from the SMS dashboard.
After digging a bit on the Internet, we found a number of public exploit or scanning tools which leverage this backdoor functionality. One such example is shown here:
What this highlights, is an active campaign of world-wide scanning across the IPv4 space, looking for Internet-accessible routers that respond to the backdoor probe. Given the length of this campaign and the sheer volume, not to mention the ease of exploitation, it’s very likely that a large number of these routers are being compromised and used for nefarious purposes such as man-in-the middle attacks. While Netis did issue a patch sometime back, there are still flaws in the implementation and the backdoor code itself has not been removed.
Regardless of whether the device is physically patched, TippingPoint users are protected from the backdoor communication attempts with DV filter 32391, which is enabled by default in a block/notify setting. We will continue to monitor the frequency and location of these scans going forward.