New Botnet Exploits Zero-Days Found in Tenda Routers
NJCCIC Alert
Original Release Date: 10/8/2020
Summary
Ttint, a newly-discovered IoT botnet has been observed exploiting two critical zero-day vulnerabilities, CVE-2018-14558 and CVE-2020-10987, in an attempt to compromise Tenda routers. The Mirai -based botnet has a wide array of capabilities, which include implementing 12 remote access functions and supporting a total of 22 commands, with many used to launch distributed denial-of-service (DDoS) attacks. Additionally, Ttint uses WebSocket over TLS (WSS) to avoid detection by encrypting communication with the command and control (C2) server. According to researchers, Tenda routers using firmware versions AC9 through AC18 are considered vulnerable.
Recommendations
The NJCCIC recommends users of Tenda routers to verify firmware version and update as necessary. Additionally, users are urged to monitor and block the indicators of compromise (IOCs) provided in the 360 NetLab blog post.
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.