Cyber security researchers raise the alarm for some flaws in some IoT devices of Lilin and Zyxel which have been actively exploited to compromise them by installing malware for the purpose of enlisting them in botnets dedicated to DDoS attacks: FBot, Chalubo, Moobot and Mukashi, these last three variants she is infamous Mirai.
As for Lilin devices – which produces video surveillance solutions, but in the past also DVR tools – Qihoo 360 researchers report the problem. Lilin's DVRs are subject to three different flaws that allow attackers to issue malicious commands remotely. The flaws affect in particular the file transfer functions and the update mechanism.
The first episodes of exploitation of the vulnerabilities date back to last August when the researchers started to find some activities aimed at infecting the devices with Chalubo, while in January the spreads of FBot and Moobot occurred. Lilin has resolved the vulnerabilities with the release of a new firmware version for the affected devices: the 2.0b60_20200207.
As far as Zyxel's devices are concerned, it is Palo Alto Networks researchers who spread the alarm. A number of the manufacturer's NAS devices – a list of 27 models – for which a patch has already been distributed have been affected by the problem. There are also some devices for which an update is not available because they are no longer supported. The manufacturer recommends, for devices that are no longer supported, not to connect them directly to the Internet.
The vulnerability, marked by code CVE-2020-9054, allows attackers the ability to remotely execute commands on devices affected by the problem, with the subsequent possibility of taking control of those devices that use weak passwords that can be easily guessed. The aim was to install another variant of Mirai known as Mukashi, which was recently discovered. The vulnerability received a classification of 9.8 out of 10 due to the extreme ease of exploitation.
Those who have Lilin or Zyxel devices affected by the vulnerabilities should obviously install the available updates as soon as possible, while the devices to which the corrective patches cannot be applied should at least be kept disconnected from the Internet or, if not possible , should be replaced with newer devices. In general good that all IoT devices on a local network are placed behind firewalls in such a way as to make the risk of compromise more difficult.
