TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Gafgyt Targeting Huawei and Asus Routers and Killing Off Rival IoT Botnets

2019-12-26 · Read original ↗

ATT&CK techniques detected

9 predictions
T1190Exploit Public-Facing Application
96%
“is in line with the age demographic we ’ ve seen creating iot botnets ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / the - hunt - for - iot - - so - easy - to - compromise - - children - are - doing - it. html ). - the dropzone server ip is located …”
T1584.005Botnet
90%
“gafgyt targeting huawei and asus routers and killing off rival iot botnets gafgyt ( also known as bashlite ) is one of the most common types of malware infecting iot devices, and has been active since 2014. a new variant of this notorious malware continues to target small office …”
T1584.005Botnet
81%
“for service are also common and easy to buy. they are advertised on a variety of platforms, including instagram, and we recently wrote about the ease of compromising iot devices, even for children ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / the -…”
T1498Network Denial of Service
75%
“- x86 target services, servers and bot process : - apache2 - bash - cron - ftp - irc - ntpd - openssh - pftp - sh - sshd - telnet - telnetd - tftp - wget - httpflood - lolnogtfo - stdflood - tcpflood - udpflood stage 3 : dos attack once gafgyt infects a targeted iot device, the m…”
T1190Exploit Public-Facing Application
64%
“port 37215 to launch attacks. cve - 2018 - 15887 ( asus ) : an rce vulnerability that allows an authenticated remote attacker to execute arbitrary os commands via service parameters. following the exploitation of the vulnerabilities, gafgyt : downloads the payload using “ wget ” …”
T1498.001Direct Network Flood
60%
“- x86 target services, servers and bot process : - apache2 - bash - cron - ftp - irc - ntpd - openssh - pftp - sh - sshd - telnet - telnetd - tftp - wget - httpflood - lolnogtfo - stdflood - tcpflood - udpflood stage 3 : dos attack once gafgyt infects a targeted iot device, the m…”
T1584.005Botnet
42%
“used by this iteration of gafgyt. the focus on vseattacks, which specifically target popular game servers, is particularly notable. some of the games running on valve source engine include counter strike, team fortress and half - life 2. 3 the reason why game servers are a popula…”
T1583.005Botnet
42%
“used by this iteration of gafgyt. the focus on vseattacks, which specifically target popular game servers, is particularly notable. some of the games running on valve source engine include counter strike, team fortress and half - life 2. 3 the reason why game servers are a popula…”
T1499Endpoint Denial of Service
37%
“- x86 target services, servers and bot process : - apache2 - bash - cron - ftp - irc - ntpd - openssh - pftp - sh - sshd - telnet - telnetd - tftp - wget - httpflood - lolnogtfo - stdflood - tcpflood - udpflood stage 3 : dos attack once gafgyt infects a targeted iot device, the m…”

Summary

IoT botnet Gafgyt targets popular routers through RCE vulnerabilities, and even removes competing malware.