Cybersecurity researchers have identified a sophisticated malware campaign that exploits security flaws in TBK digital video recorders (DVRs) and Four-Faith routers, integrating these devices into a new botnet named RondoDox. This botnet poses significant risks to device security and overall network integrity.
Vulnerabilities Targeted
RondoDox leverages two primary vulnerabilities:
1. CVE-2024-3721: A command injection vulnerability in TBK DVR models DVR-4104 and DVR-4216. This flaw allows unauthenticated remote code execution via crafted HTTP requests to the `/device.rsp` endpoint.
2. CVE-2024-12856: An operating system command injection bug affecting Four-Faith router models F3x24 and F3x36. Authenticated attackers can exploit the `apply.cgi` interface to execute arbitrary commands when modifying system time settings.
These vulnerabilities have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity.
Infection Mechanism
The RondoDox botnet employs a multi-stage infection process:
1. Initial Exploitation: Attackers send specially crafted requests to the vulnerable endpoints of TBK DVRs and Four-Faith routers, exploiting the aforementioned vulnerabilities to gain unauthorized access.
2. Payload Deployment: Upon successful exploitation, a shell script downloader is executed on the compromised device. This script performs several actions:
– Navigates to writable directories such as `/tmp` or `/var/run`.
– Downloads the RondoDox malware binary from a remote server.
– Grants execution permissions to the downloaded binary.
– Executes the malware, initiating its integration into the botnet.
3. Persistence and Evasion: The malware establishes persistence by modifying system startup files, ensuring it remains active after device reboots. It also employs several evasion techniques:
– Anti-Analysis Checks: Scans for virtualized environments and terminates execution if such environments are detected.
– Process Termination: Identifies and terminates processes related to network utilities (e.g., `wget`, `curl`), system analysis tools (e.g., `Wireshark`, `gdb`), and competing malware to maintain control over the device.
– File Renaming: Renames key system executables to random strings, hindering system functionality and complicating incident response efforts.
Botnet Capabilities
Once integrated into the RondoDox botnet, compromised devices can be utilized for various malicious activities:
– Distributed Denial-of-Service (DDoS) Attacks: The botnet can launch DDoS attacks using HTTP, UDP, and TCP protocols. It disguises its traffic to mimic legitimate services such as gaming platforms (e.g., Minecraft, Fortnite) and VPN servers, making detection and mitigation challenging.
– Proxy Services: Infected devices can serve as proxies to obfuscate command-and-control (C2) traffic, facilitating further malicious activities while evading detection.
Global Impact
Telemetry data indicates that RondoDox infections are concentrated in regions including China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Over 50,000 exposed DVR devices remain vulnerable globally, with attackers actively scanning for targets.
Mitigation Strategies
To protect against RondoDox and similar threats, device owners and network administrators should implement the following measures:
1. Firmware Updates: Regularly check for and apply firmware updates provided by device manufacturers to patch known vulnerabilities.
2. Network Segmentation: Isolate DVRs and routers from critical infrastructure to limit potential lateral movement by attackers.
3. Input Sanitization: Implement input validation to block special characters in parameters susceptible to command injection.
4. Monitoring and Logging: Continuously monitor network traffic for unusual patterns and maintain logs to detect and respond to potential intrusions promptly.
5. Factory Resets: If a device is suspected to be compromised, perform a factory reset to remove any persistent malware.
The emergence of the RondoDox botnet underscores the critical need for timely patching of affected systems and the implementation of robust security practices to safeguard against evolving cyber threats.
