{"id":42412,"date":"2021-08-19T18:00:46","date_gmt":"2021-08-19T18:00:46","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=95751"},"modified":"2021-08-19T18:00:46","modified_gmt":"2021-08-19T18:00:46","slug":"how-to-proactively-defend-against-mozi-iot-botnet","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-proactively-defend-against-mozi-iot-botnet\/","title":{"rendered":"How to proactively defend against Mozi IoT botnet"},"content":{"rendered":"

Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords1<\/sup> and nearly a dozen unpatched IoT vulnerabilities2<\/sup> and it\u2019s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution3<\/sup>.<\/p>\n

While the botnet itself is not new, Microsoft\u2019s IoT security researchers recently discovered that Mozi has evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE. It does this using clever persistence techniques that are specifically adapted to each gateway\u2019s particular architecture.<\/p>\n

Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks. Adversaries can search the internet for vulnerable devices via scanning tools like Shodan, infect them, perform reconnaissance, and then move laterally to compromise higher value targets\u2014including information systems and critical industrial control system (ICS) devices in the operational technology (OT) networks.<\/p>\n

By infecting routers, they can perform man-in-the-middle (MITM) attacks\u2014via HTTP hijacking and DNS spoofing\u2014to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the diagram below we show just one example of how the vulnerabilities and newly discovered persistence techniques could be used together. Of course, there are many more possibilities.<\/p>\n

\"Attack<\/p>\n

Figure 1: Attack flow for Mozi botnet.<\/em><\/p>\n

Guidance: Proactive defense<\/h2>\n

Businesses and individuals that are using impacted network gateways (Netgear, Huawei, and ZTE) should take the following steps immediately to ensure they are resistant to the attacks described in this blog:<\/p>\n

    \n
  1. Ensure all passwords used on the device are created using strong password best practices<\/a>.<\/li>\n
  2. Ensure devices are patched and up-to-date.<\/li>\n<\/ol>\n

    Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques described in more detail below.<\/p>\n

    The intelligence of our security cloud and all of our Microsoft Defender products, including Microsoft 365<\/a> Defender<\/a> (XDR), Azure Sentinel<\/a> (cloud-native SIEM\/SOAR), as well as Azure Defender for IoT<\/a> also provide protection from this malware and are continuously updated with the latest threat intelligence as the threat landscape continues to evolve. The recent acquisition of ReFirm Labs<\/a> will further enhance Azure Defender for IoT\u2019s ability to protect customers with its upcoming deep firmware scanning, analysis capabilities which will be integrated with Device Update for Azure IoT Hub\u2019s<\/a> patching capabilities.<\/p>\n

    Technical description of new persistence capabilities<\/h2>\n

    Apart from its known extensive P2P and DDoS abilities, we have recently observed several new and unique capabilities of the Mozi botnet.<\/p>\n

    Targeting Netgear, Huawei, and ZTE gateways, the malware now takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation. Here are some examples:<\/p>\n

    Achieving privileged persistence<\/h3>\n

    A specific check is conducted for the existence of the \/overlay<\/strong> folder, and whether the malware does not have write permissions to the folder \/etc<\/strong>. In this case, it will try to exploit CVE-2015-1328<\/a><\/strong>.<\/p>\n

    Successful exploitation of the vulnerability will grant the malware access to the following folders:<\/p>\n