{"id":5700,"date":"2023-11-25T22:54:51","date_gmt":"2023-11-25T21:54:51","guid":{"rendered":"https:\/\/sajberinfo.com\/?p=5700"},"modified":"2023-11-25T22:54:51","modified_gmt":"2023-11-25T21:54:51","slug":"infectedslurs-botnet-napada-rutere-i-nvr-uredjaje","status":"publish","type":"post","link":"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/","title":{"rendered":"InfectedSlurs botnet napada rutere i NVR ure\u0111aje"},"content":{"rendered":"<p><span style=\"font-size: 14pt;\"><em>InfectedSlurs<\/em> <em>botnet<\/em> napada rutere i <em>NVR<\/em> ure\u0111aje u aktivnoj kampanji koriste\u0107i dvije <a href=\"https:\/\/sajberinfo.com\/en\/2023\/04\/11\/zero-day\/\" target=\"_blank\" rel=\"nofollow noopener\">ranjivosti nultog dana<\/a> koje omogu\u0107avaju <a href=\"https:\/\/sajberinfo.com\/en\/2022\/03\/19\/hakeri-crni-sesiri-epizoda-3\/\" target=\"_blank\" rel=\"nofollow noopener\">napada\u010dima<\/a> daljinsko izvr\u0161avanje k\u00f4da (eng. <em>remote code execution \u2013 RCE<\/em>) pomo\u0107u kojih ove ure\u0111aje povezuje u <em>botnet<\/em> zasnovan <em>Mirai<\/em> k\u00f4du koji se koristi za <a href=\"https:\/\/sajberinfo.com\/en\/2022\/04\/25\/ddos\/\" target=\"_blank\" rel=\"nofollow noopener\"><em>DDoS<\/em> napade<\/a>.<\/span><\/p>\n<div id=\"attachment_5706\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5706\" class=\"size-full wp-image-5706\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet-.jpg\" alt=\"InfectedSlurs\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet-.jpg 1024w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--300x300.jpg 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--150x150.jpg 150w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--768x768.jpg 768w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--12x12.jpg 12w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--80x80.jpg 80w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2023\/11\/InfectedSlurs-botnet--320x320.jpg 320w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-5706\" class=\"wp-caption-text\"><em>InfectedSlurs botnet napada rutere i NVR ure\u0111aje; Source: Bing Image Creator<\/em><\/p><\/div>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sadr\u017eaj<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#OTKRIVANJE_INFECTEDSLURS\" >OTKRIVANJE INFECTEDSLURS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#INFECTEDSLURS_FUNKCIONISANJE\" >INFECTEDSLURS FUNKCIONISANJE<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#ZAKLJUCAK\" >ZAKLJU\u010cAK<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#ZASTITA\" >ZA\u0160TITA<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#InfectedSlurs_infekcija\" >InfectedSlurs infekcija<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/sajberinfo.com\/en\/2023\/11\/25\/infectedslurs-botnet-napada-rutere-i-nvr-uredjaje\/#DDoS_napadi\" >DDoS napadi<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n<p><span style=\"font-size: 14pt;\">Sigurnosni istra\u017eiva\u010di kompanije <em>Akamai<\/em> su prvi <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/new-rce-botnet-spreads-mirai-via-zero-days\" target=\"_blank\" rel=\"noopener\">otkrili ovaj <em>botnet<\/em><\/a> krajem oktobra 2023. godine, me\u0111utim prve informacije o aktivnosti ove <a href=\"https:\/\/sajberinfo.com\/en\/2022\/04\/24\/botnet\/\" target=\"_blank\" rel=\"nofollow noopener\"><em>botnet<\/em><\/a> mre\u017ee su identifikovane krajem 2022. godine. Prema dostupnim informacijama pogo\u0111eni proizvo\u0111a\u010di ure\u0111aja jo\u0161 uvijek nisu izdali a\u017euriranja za ove ranjivosti, pa su detalji o ranjivostima dostupni samo proizvo\u0111a\u010dima.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"OTKRIVANJE_INFECTEDSLURS\"><\/span><span style=\"font-size: 14pt;\"><strong>OTKRIVANJE <em>INFECTEDSLURS<\/em><\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\"><em>Akamai<\/em> sigurnosni tim (eng. <em>Akamai Security Intelligence Response Team \u2013 SIRT<\/em>)je prvi put primijetio <em>botnet<\/em> u oktobru 2023. godine kao neuobi\u010dajenu aktivnost na\u00a0<a href=\"https:\/\/sajberinfo.com\/en\/2023\/03\/24\/povrsina-napada-uvod-epizoda-1\/\" target=\"_blank\" rel=\"nofollow noopener\">rijetko kori\u0161tenom <em>TCP<\/em> portu<\/a> koji je ciljao njihovu medenu zamku (eng. <em>honeypot<\/em>). Aktivnost se sastojala od poku\u0161aja autentifikacije putem <em>POST<\/em> zahtjeva pra\u0107enih poku\u0161ajima ubacivanjem komandi.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Na osnovu prikupljenih podataka sigurnosni istra\u017eiva\u010di su izvr\u0161ili skeniranje ure\u0111aja dostupnih na Internetu i identifikovali da su ure\u0111aji ciljani ovim napadom povezani sa proizvo\u0111a\u010dem <em>NVR<\/em> ure\u0111aja \u010dije ime nije navedeno iz bezbjednosnih razloga.<\/span><\/p>\n<p>&nbsp;<\/p>\n<blockquote><p><span style=\"font-size: 14pt;\"><em>\u201cSIRT je izvr\u0161io brzu provjeru za CVE za koje se zna da uti\u010du na NVR ure\u0111aje ovog dobavlja\u010da i bio je iznena\u0111en kada je otkrio da gledamo na novu ranjivost nultog dana koji se aktivno koristi u divljini. Kroz proces odgovornog otkrivanja, proizvo\u0111a\u010d nam je saop\u0161tio da radi na popravci koja \u0107e vjerovatno biti dostupna u decembru 2023.\u201d<\/em><\/span><\/p>\n<p style=\"text-align: right;\"><span style=\"font-size: 14pt;\"><em>\u00a0<\/em><em>&#8211; Akamai izvje\u0161taj &#8211;<\/em><\/span><\/p>\n<\/blockquote>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 14pt;\">Detaljnija analiza ovog napada je pokazala da <a href=\"https:\/\/sajberinfo.com\/en\/2021\/09\/26\/malware\/\" target=\"_blank\" rel=\"nofollow noopener\">zlonamjerni softver<\/a> u ovom napadu koristi fabri\u010dke podatke za prijavu na ure\u0111aje dokumentovane u uputstvima proizvo\u0111a\u010da za vi\u0161e <em>NVR<\/em> ure\u0111aja kako bi se izvr\u0161ilo instaliranje <em>bot<\/em> klijenta i izvr\u0161ile druge zlonamjerne radnje.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Pored toga, detaljnija analiza je pokazala da ovaj napad cilja i na be\u017ei\u010dne <em>LAN<\/em> rutere popularne kod ku\u0107nih korisnika i hotela na koje se odnosni druga ranjivost nultog dana. I u ovom slu\u010daju nije naveden proizvo\u0111a\u010d ure\u0111aja kako bi mu se omogu\u0107ilo da izda adekvatna a\u017euriranja za ovu ranjivost, koja bi trebalo da budu dostupna krajem decembra 2023. godine.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"INFECTEDSLURS_FUNKCIONISANJE\"><\/span><span style=\"font-size: 14pt;\"><strong><em>INFECTEDSLURS<\/em> FUNKCIONISANJE<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\"><em>InfectedSlurs <\/em>je dobio naziv zbog kori\u0161tenja uvredljivog jezika u komandnim i kontrolnim serverima <em>C2<\/em> i tvrdo k\u00f4diranim nizovima. Ovaj <em>botnet<\/em> je ustvari varijanta <em>Mirai<\/em> <em>botnet<\/em> mre\u017ee zara\u017eenih ure\u0111aja koja koristi stariju varijantu <em>JenX<\/em> <em>Mirai<\/em> zlonamjernog softvera. Postoji mnogo <em>C2<\/em> domena i <em>IP<\/em> adresa povezanih sa ovim napadom koji podr\u017eavaju ovu tvrdnju.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Sigurnosni istra\u017eiva\u010di su otkrili da je napravljeno izuzetno malo izmjena u odnosu na originalni <em>Mirai<\/em> <em>botnet<\/em> tako da je <em>InfectedSlurs<\/em> DDoS alat koji se sam \u0161iri i podr\u017eava napad kori\u0161tenjem <em>SYN<\/em>, <em>UDP<\/em> i <em>HTTP<\/em> <em>GET<\/em> umno\u017eavanja zahtjeva.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">Primije\u0107eno je da <em>InfectedSlurs<\/em> po ugledu na <em>Mirai<\/em> <em>botnet<\/em> ne sadr\u017ei mehanizma za odr\u017eavanje postojanosti na inficiranim ure\u0111ajima. Uzimaju\u0107i u obzir da trenutno nema dostupnih a\u017euriranja za ove ranjivosti nultog dana, ponovno pokretanje rutera i <em>NVR<\/em> ure\u0111aja mo\u017ee privremeno da poremeti infekciju ure\u0111aja.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ZAKLJUCAK\"><\/span><span style=\"font-size: 14pt;\"><strong>ZAKLJU\u010cAK<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Ovaj primjer pokazuje zna\u010daj kori\u0161tenja medenih zamki koje su posebno dizajnirane da namame i otkriju zlonamjerne aktere u sajber bezbjednosti kao va\u017enog strate\u0161kog alata\u00a0 koji daje neprocjenjiv uvid u na\u010din razmi\u0161ljanja napada\u010da i njihove taktike, tehnike i procedure. Kori\u0161tenje medenih zamki kao odbrambenog alata omogu\u0107ava rano otkrivanje i kontinuirano pobolj\u0161anje odbrambenih mjera u digitalnom bezbjednom okru\u017eenju koje se stalno razvija.<\/span><\/p>\n<p><span style=\"font-size: 14pt;\">S obzirom na to da medene zamke opona\u0161aju ranjiva okru\u017eenja u stvarnom svijetu, znanje koje mogu pru\u017eiti braniocima je vjerovatno najvrednije znanje koje treba ste\u0107i. Odbrambene prakse zasnovane na stvarnosti &#8211; pre nego na strahu, neizvesnosti i sumnji &#8211; pru\u017eaju mnogo proaktivniju strategiju koja omogu\u0107ava preciziranje bezbjednosnih mjera i pove\u0107ava ukupnu otpornost na sajber napade.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"ZASTITA\"><\/span><span style=\"font-size: 14pt;\"><strong>ZA\u0160TITA<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-size: 14pt;\">Kao i kod svake prijetnje za koju ne postoji dostupno a\u017euriranje, ubla\u017eavanje opasnosti je od najve\u0107e va\u017enosti. Korisnici mogu pratiti sljede\u0107e savjete kako bi se za\u0161titili:<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"InfectedSlurs_infekcija\"><\/span><span style=\"font-size: 14pt;\"><strong>InfectedSlurs infekcija<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><span style=\"font-size: 14pt;\">Provjeriti da li u upotrebi ima ure\u0111aja koji koriste fabri\u010dke lozinke. U slu\u010daju da ima, iste obavezno promijeniti.<\/span><\/li>\n<li><span style=\"font-size: 14pt;\">Ako korisnici imaju ranjive ure\u0111aje u svom okru\u017eenju, preporu\u010duje se da se uradi njihova izolacija i pra\u0107enje za potencijalnom infekcijom ure\u0111aja.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"DDoS_napadi\"><\/span><span style=\"font-size: 14pt;\"><strong>DDoS napadi<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><span style=\"font-size: 14pt;\">Kako bi se za\u0161titili od <em>DDoS<\/em> napada korisnicima se preporu\u010duje da prate <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/09\/06\/cisa-releases-capacity-enhancement-guide-strengthen-agency-resilience-ddos-attack\" target=\"_blank\" rel=\"noopener\"><em>CISA<\/em> preporuke<\/a>.<\/span><\/li>\n<li><span style=\"font-size: 14pt;\">Izvr\u0161iti ispitivanje kriti\u010dnih mre\u017enih segmenata i <em>IP<\/em> adresa kako bi se omogu\u0107ilo efektno sprovo\u0111enje mjera ubla\u017eavanja.<\/span><\/li>\n<li><span style=\"font-size: 14pt;\">Podesiti proaktivne kontrole preko <em>firewall<\/em>-a u oblaku. Ovaj spoljni <em>firewall<\/em> slu\u017ei kao mo\u0107an alat koji se lako primjenjuje i prilago\u0111en korisniku za efikasno blokiranje ne\u017eeljenog saobra\u0107aja na globalnom i centralnom nivou, \u0161tite\u0107i korisni\u010dke mre\u017ee i specifi\u010dne ciljeve unutar organizacije.<\/span><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>InfectedSlurs botnet napada rutere i NVR ure\u0111aje u aktivnoj kampanji koriste\u0107i dvije ranjivosti nultog dana koje omogu\u0107avaju napada\u010dima daljinsko izvr\u0161avanje k\u00f4da (eng. remote code execution \u2013 RCE) pomo\u0107u kojih ove ure\u0111aje povezuje u botnet&#46;&#46;&#46;<\/p>","protected":false},"author":1,"featured_media":5706,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[113,114,582,583,584,161],"class_list":["post-5700","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hronike","tag-botnet","tag-ddos","tag-infectedslurs","tag-mirai","tag-nvr","tag-router"],"_links":{"self":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/5700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/comments?post=5700"}],"version-history":[{"count":0,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/5700\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media\/5706"}],"wp:attachment":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media?parent=5700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/categories?post=5700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/tags?post=5700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}