- TBK DVRs and Four-Faith routers are carrying known, old security flaws
- The flaws were used to build Mirai botnet in the past, and are now used to build RondoDox, too
- Users are advised to patch, firewall, or replace vulnerable endpoints
A new malicious botnet, called RondoDox, is being built at this very moment, potentially targeting thousands of products around the world e xperts have warned.
Cybersecurity researchers from Fortinet FortiGuard Labs, who said they saw multiple vulnerabilities in different digital video recorders (DVR) and routers being exploited to create the botnet.
The vulnerabilities in question are tracked as CVE-2024-3721, and CVE-2024-12856. These two were found in TBK digital video recorders, models DVR-4104 and DVR-4216, as well as in Four-Faith routers, models F3x24 and F3x36.
Defending your endpoints
According to BleepingComputer, the flaws were exploited before by threat actors building the infamous Mirai botnet. They are popular among cybercriminals because these devices are often used in retail stores, warehouses, small offices, and similar places, where they “often go unmonitored for years”.
As such, they’re prime targets – easy to compromise, and active for years without patches or updates.
Cybercriminals love building botnets. A network of compromised devices, from routers, to smart home devices, can be used for all sorts of nefarious activities, from distributed denial of service (DDoS) attacks, to residential proxy services that can be rented out.
In fact, RondoDox seems to be used for stealth proxies, hiding command-and-control (C2) traffic for even more malicious activities. It is also used to run layered scams, or to amplify DDoS-for-hire campaigns.
It is also rather good at staying hidden, the researchers claim, trying to spoof gaming traffic.
“To evade detection, it disguises malicious traffic by emulating popular games and platforms such as Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet,” Fortinet explained.
“Beyond gaming and chat protocols, RondoDox can also mimic custom traffic from tunneling and real-time communication services, including WireGuard, OpenVPN variants (e.g., openvpnauth, openvpncrypt, openvpntcp), STUN, DTLS, and RTC.”
As usual, to defend against these threats, users should make sure their routers and DVRs have updated firmware, and strong, custom passwords. If they are no longer supported by their vendors, they should be replaced by newer models. Furthermore, if possible, the devices should be disconnected from the public internet, or placed behind a firewall.
Via The Hacker News
