Your ASUS Router Is a Botnet Now | Tech News of the Week
AI-Generated Summary
Welcome to Tech News of the Week, hosted by Chris and co., where we dive into four intriguing tech stories. First, Microsoft introduces a Windows Update framework allowing third-party apps to integrate updates seamlessly through Windows Runtime APIs, aiming to streamline app lifecycle management, but raising concerns about potential update mishaps. Second, NIST and CISA propose a new vulnerability risk assessment method called LEV (Likely Exploited Vulnerabilities), blending predictive analysis with existing CVSS scores to better prioritize threats. Third, thousands of ASUS routers have been hijacked into the iShush botnet via old vulnerabilities, emphasizing the need for regular firmware updates and secure configurations. Finally, a tool called DefendNot exploits Windows Security Center APIs to disable Microsoft Defender, highlighting vulnerabilities in Windowsโ security architecture. Stay tuned for more tech insights!
๐ Full Transcript
Welcome to Tech News of the Week
with your host, soul crushing ennui. Welcome to Tech News of the Week. This is our weekly Tech News podcast where
Chris and I get into four interesting articles that caught our attention. Chris, I’m going to go first. Now, Patch Tuesday can be
extra terrifying. One of the things I love about Android
apps is the way that they update. They do it quietly and automatically
through the Play Store and the native framework of Android, and I don’t
ever have to think about it. I assume iOS is the same way,
but I don’t use that crap. Wouldn’t it be nice if the software
on Windows did something similar? Well, now it can, at least in preview. Microsoft has introduced a Windows Update
framework that third-party apps and software packages can take advantage of. Instead of writing custom updaters or just
hoping clients download the newest version and install it, now apps will integrate
with the Windows Runtime APIs and special PowerShell commands
to handle their updates. On the back-end, the same Windows Update
software that takes into account your PC’s battery life, AC status, current usage,
and other factors will decide when and how updates are applied. It also means that update logging, admin
policies, and update histories will be available to manage the
life cycle of applications. The only downside? Well, I mean,
you’ve been a victim of a bot Windows update at least once, haven’t you?
I know I have. Now, imagine that multiplied across
all the apps on your PC today. What could possibly go wrong? Fortunately, the program is in private
preview, so you don’t have to worry about rogue updates, ruining your taco
Tuesday tostada lunch just yet. Still, you should go easy on the sour
cream for your fellow office workers’ sake. Nist and CISA researchers Developers
propose a new method of describing vulnerability risks. Exploits are funny things. Sometimes the potential severity of an
exploit, in theory, far exceeds its severity in reality. This is often due to the level of
difficulty required in pulling off the exploit, or that the fact that the
exploit, while possible, is irrelevant due to the requirements
needed to actually make it happen. See my next topic for a
great example of this. As a result, it can be tough to decide
how important an exploit actually is. If you run a vulnerability scan, for
example, and you get back several thousand results, which is not uncommon, even for
small to medium-sized companies, how do you begin to address that? An example. If a vulnerability is, say,
a year old, but has a CVSS score of 5. 5, should you prioritize it or not? 5.
5 is not super high. The highest score is a 10. But the age of the vulnerability is a
problem, as statistically, the longer the vulnerabilities are out there, the more
likely they are to be actively exploited in the wild. Security vendors have their own
proprietary ways of helping with this. There are also public lists such as known
exploited vulnerabilities or the kev list, which tells you if an exploit has
actually been observed in the wild. This is versus the more standard CVS The
SS system, common vulnerability scoring with the famous 1-10 level of severity. The new proposal would try to split
the difference between these two. It’s called Likely Exploited
Vulnerabilities or LEV. And guess what it does? It checks to see if it’s likely,
but there’s not proof. You didn’t guess, so I had to tell you. I’m sorry. It
is very much a work in progress, and NIST has announced that they are
looking industry partners to help. The more data they have, the better,
as there is an inherent truthiness to anything that is predictive
like Lev is going to try to be. Still, it’s a good start. Maths are good,
and a dynamic scoring system would really help people know what to focus on. Maybe they should focus
on their ASUS router. Do you own an ASUS router? No, you don’t. Somebody else does now. Thousands of ASUS Access routers are
currently Moonlighting in a new botnet called iShush. Your guess is as good as
mine how to pronounce that. A-y-y-s-s-h-u-s-h. God damn, what is wrong with security
people, Chris? After getting hijacked by attackers who
are disabling trend micro security features and then strolling in
through old vulnerabilities. Discovered by threat intel firm,
GreyNoize, back in March, this botnet is now going full throttle,
infecting over 8,000 routers. Initially, the attacker started with
generic brute force attacks, then escalated to exploiting older
authentication bypass bugs and CVE-2023-39780 to
sneak in and run commands. 2023 tells you how old
that particular bypass is. Once in, the botnet activates SSH,
binds it to a non-standard port, and drops in a public key, all using the official
ASUS features inside the router, which effectively creates a backdoor that
survives hardware updates, patches, and all your hopes and dreams. The culprits are disabling logging and
Trend Micro’s AI protection on the router to help avoid intrusion detection as
they dig deeper into your network. More impressive is how
quickly the attack occurs. Just three HTTP posts can
get the job done, especially on routers left with factory
default settings, which is way too many of them. Targeted models include the RT-AC-3100,
RT-AC-3200, and the still popular RT-AX-55. Asus has since patched the bugs. Remember that 2023 thing? But most folks aren’t updating
their routers on the regular. If you think you’ve been hit, a
firmware update will not do it. Factory reset that router or just buy an
actual good piece of network equipment. Don’t open SSH or HTTP to the internet
on your freaking router. What are you doing? Anyway, Microsoft Defender tricked into
shutting itself down so the mal can wear. I thought that was very clever. You’re a clever guy. More like Microsoft
Defend doesn’t, though. Am I right? Microsoft Defender, maybe not. I’ll work on it.
All right. This past week, a security researcher
posted a tool called DefendNot on GitHub with the straight to the point description
of, quote, an even funnier way to disable Windows Defender through WSC API, unquote. Basically, Windows has a
lot of power over Defender. This is not surprising, considering it is
a Microsoft product as well, and it’s basically baked into the operating system. Windows additionally has the power
to turn on and turn off Defender. It doesn’t want to do that, obviously. But if, say, you have another registered
third-party defense tool installed, it will. It’s not a good idea to have two
AV tools running at the same time. It’s just asking for trouble. And this ability is exactly
what defendNot exploits. By using friend of the show, Undocumented
API feature in the Windows Security Center, defendNot can
tell Windows that IT… I’m sorry, IT, good God. Defendnot can tell Windows that it
will be handling device protection. The security center behaves as
expected and disables defender. Hopefully, you have alerts going to a SIM
and you’ll get notifications about that, at least. Right? Right.
Eight. The way this works is still a
tad on the complicated side. You would have already had to have given
defend not administrator rights, which would allow it to manipulate
a trusted process. If an attacker has gotten that far, it’s
likely that they don’t need defender to be disabled anymore, at
least not in this fashion. But still, as the researcher points out,
it’s pretty funny that it’s actually possible. As of recording, defender is aware of
defend not, and it will quarantine it. Whatever, man, it’s still funny. All right, that’s it.
We’re done now. Go away.
Bye..
with your host, soul crushing ennui. Welcome to Tech News of the Week. This is our weekly Tech News podcast where
Chris and I get into four interesting articles that caught our attention. Chris, I’m going to go first. Now, Patch Tuesday can be
extra terrifying. One of the things I love about Android
apps is the way that they update. They do it quietly and automatically
through the Play Store and the native framework of Android, and I don’t
ever have to think about it. I assume iOS is the same way,
but I don’t use that crap. Wouldn’t it be nice if the software
on Windows did something similar? Well, now it can, at least in preview. Microsoft has introduced a Windows Update
framework that third-party apps and software packages can take advantage of. Instead of writing custom updaters or just
hoping clients download the newest version and install it, now apps will integrate
with the Windows Runtime APIs and special PowerShell commands
to handle their updates. On the back-end, the same Windows Update
software that takes into account your PC’s battery life, AC status, current usage,
and other factors will decide when and how updates are applied. It also means that update logging, admin
policies, and update histories will be available to manage the
life cycle of applications. The only downside? Well, I mean,
you’ve been a victim of a bot Windows update at least once, haven’t you?
I know I have. Now, imagine that multiplied across
all the apps on your PC today. What could possibly go wrong? Fortunately, the program is in private
preview, so you don’t have to worry about rogue updates, ruining your taco
Tuesday tostada lunch just yet. Still, you should go easy on the sour
cream for your fellow office workers’ sake. Nist and CISA researchers Developers
propose a new method of describing vulnerability risks. Exploits are funny things. Sometimes the potential severity of an
exploit, in theory, far exceeds its severity in reality. This is often due to the level of
difficulty required in pulling off the exploit, or that the fact that the
exploit, while possible, is irrelevant due to the requirements
needed to actually make it happen. See my next topic for a
great example of this. As a result, it can be tough to decide
how important an exploit actually is. If you run a vulnerability scan, for
example, and you get back several thousand results, which is not uncommon, even for
small to medium-sized companies, how do you begin to address that? An example. If a vulnerability is, say,
a year old, but has a CVSS score of 5. 5, should you prioritize it or not? 5.
5 is not super high. The highest score is a 10. But the age of the vulnerability is a
problem, as statistically, the longer the vulnerabilities are out there, the more
likely they are to be actively exploited in the wild. Security vendors have their own
proprietary ways of helping with this. There are also public lists such as known
exploited vulnerabilities or the kev list, which tells you if an exploit has
actually been observed in the wild. This is versus the more standard CVS The
SS system, common vulnerability scoring with the famous 1-10 level of severity. The new proposal would try to split
the difference between these two. It’s called Likely Exploited
Vulnerabilities or LEV. And guess what it does? It checks to see if it’s likely,
but there’s not proof. You didn’t guess, so I had to tell you. I’m sorry. It
is very much a work in progress, and NIST has announced that they are
looking industry partners to help. The more data they have, the better,
as there is an inherent truthiness to anything that is predictive
like Lev is going to try to be. Still, it’s a good start. Maths are good,
and a dynamic scoring system would really help people know what to focus on. Maybe they should focus
on their ASUS router. Do you own an ASUS router? No, you don’t. Somebody else does now. Thousands of ASUS Access routers are
currently Moonlighting in a new botnet called iShush. Your guess is as good as
mine how to pronounce that. A-y-y-s-s-h-u-s-h. God damn, what is wrong with security
people, Chris? After getting hijacked by attackers who
are disabling trend micro security features and then strolling in
through old vulnerabilities. Discovered by threat intel firm,
GreyNoize, back in March, this botnet is now going full throttle,
infecting over 8,000 routers. Initially, the attacker started with
generic brute force attacks, then escalated to exploiting older
authentication bypass bugs and CVE-2023-39780 to
sneak in and run commands. 2023 tells you how old
that particular bypass is. Once in, the botnet activates SSH,
binds it to a non-standard port, and drops in a public key, all using the official
ASUS features inside the router, which effectively creates a backdoor that
survives hardware updates, patches, and all your hopes and dreams. The culprits are disabling logging and
Trend Micro’s AI protection on the router to help avoid intrusion detection as
they dig deeper into your network. More impressive is how
quickly the attack occurs. Just three HTTP posts can
get the job done, especially on routers left with factory
default settings, which is way too many of them. Targeted models include the RT-AC-3100,
RT-AC-3200, and the still popular RT-AX-55. Asus has since patched the bugs. Remember that 2023 thing? But most folks aren’t updating
their routers on the regular. If you think you’ve been hit, a
firmware update will not do it. Factory reset that router or just buy an
actual good piece of network equipment. Don’t open SSH or HTTP to the internet
on your freaking router. What are you doing? Anyway, Microsoft Defender tricked into
shutting itself down so the mal can wear. I thought that was very clever. You’re a clever guy. More like Microsoft
Defend doesn’t, though. Am I right? Microsoft Defender, maybe not. I’ll work on it.
All right. This past week, a security researcher
posted a tool called DefendNot on GitHub with the straight to the point description
of, quote, an even funnier way to disable Windows Defender through WSC API, unquote. Basically, Windows has a
lot of power over Defender. This is not surprising, considering it is
a Microsoft product as well, and it’s basically baked into the operating system. Windows additionally has the power
to turn on and turn off Defender. It doesn’t want to do that, obviously. But if, say, you have another registered
third-party defense tool installed, it will. It’s not a good idea to have two
AV tools running at the same time. It’s just asking for trouble. And this ability is exactly
what defendNot exploits. By using friend of the show, Undocumented
API feature in the Windows Security Center, defendNot can
tell Windows that IT… I’m sorry, IT, good God. Defendnot can tell Windows that it
will be handling device protection. The security center behaves as
expected and disables defender. Hopefully, you have alerts going to a SIM
and you’ll get notifications about that, at least. Right? Right.
Eight. The way this works is still a
tad on the complicated side. You would have already had to have given
defend not administrator rights, which would allow it to manipulate
a trusted process. If an attacker has gotten that far, it’s
likely that they don’t need defender to be disabled anymore, at
least not in this fashion. But still, as the researcher points out,
it’s pretty funny that it’s actually possible. As of recording, defender is aware of
defend not, and it will quarantine it. Whatever, man, it’s still funny. All right, that’s it.
We’re done now. Go away.
Bye..
[ad_1]
[ad_2]
[ad_2]
