Stratos Ally

Subscribe
Subscribe
Facebook-square Instagram Linkedin Youtube X-twitter

Four-Faith Routers under DDOS threat! 

Picture of DarkSoul

DarkSoul

Facebook-square Instagram Linkedin Youtube X-twitter
Four-Faith Routers under DDOS threat!

The Industrial Router manufacturer firm Four-Faith, which is based out of China, has seen its products getting attacked with the aim of conducting a Distributed Denial of Service attack. A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024.  

The botnet sustains approximately 15,000 daily active IP addresses, with the infections primarily dispersed across China, Iran, Russia, Turkey, and the United States. The malware is known to have been active since February 2024 targeting over 20 known security vulnerabilities and weak Telnet credentials for initial access. The botnet has been tagged as “gayfemboy” in reference to the offensive term present in the source code.  

The vulnerability being targeted is CVE-2024-12856 (CVSS score: 7.2), which is a command injection flaw affecting router models F3x24 and F3x36 by taking advantage of default credentials. CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957 are among some of the other security flaws exploited by the botnet.  

The botnet has been targeting hundreds of different entities on a daily basis, with the activity scaling a new peak in October and November 2024. The attacks have a recorded duration between 10 and 30 seconds and generate traffic around 100 Gbps. The attack modes are diverse, attack paths are highly concealed, and it continuously evolves its strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users.  

The disclosure comes following an alert from Juniper Networks that threat actors are targeting Session Smart Router (SSR) products with default passwords to drop the Mirai botnet malware. Akamai has also revealed Mirai malware infections that weaponize a remote code execution flaw in DigiEver DVRs. The targets known till date are :  

  • ASUS routers (via N-day exploits).  
  • Huawei routers (via CVE-2017-17215)  
  • Neterbit routers (custom exploit)  
  • LB-Link routers (via CVE-2023-26801)  
  • Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)  
  • PZT cameras (via CVE-2024-8956 and CVE-2024-8957)  
  • Kguard DVR  
  • Lilin DVR (via remote code execution exploits)  
  • Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)  
  • Vimar smart home devices (likely using an undisclosed vulnerability)  
  • Various 5G/LTE devices (likely via misconfigurations or weak credentials)  

Users can protect their devices by following the general recommendation to install the latest device updates from the vendor, disable remote access if not needed, and change the default admin account credentials.   

The Industrial Router manufacturer firm Four-Faith, which is based out of China, has seen its products getting attacked with the aim of conducting a Distributed Denial of Service attack. A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024.  

The botnet sustains approximately 15,000 daily active IP addresses, with the infections primarily dispersed across China, Iran, Russia, Turkey, and the United States. The malware is known to have been active since February 2024 targeting over 20 known security vulnerabilities and weak Telnet credentials for initial access. The botnet has been tagged as “gayfemboy” in reference to the offensive term present in the source code.  

The vulnerability being targeted is CVE-2024-12856 (CVSS score: 7.2), which is a command injection flaw affecting router models F3x24 and F3x36 by taking advantage of default credentials. CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957 are among some of the other security flaws exploited by the botnet.  

The botnet has been targeting hundreds of different entities on a daily basis, with the activity scaling a new peak in October and November 2024. The attacks have a recorded duration between 10 and 30 seconds and generate traffic around 100 Gbps. The attack modes are diverse, attack paths are highly concealed, and it continuously evolves its strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users.  

The disclosure comes following an alert from Juniper Networks that threat actors are targeting Session Smart Router (SSR) products with default passwords to drop the Mirai botnet malware. Akamai has also revealed Mirai malware infections that weaponize a remote code execution flaw in DigiEver DVRs. The targets known till date are :  

  • ASUS routers (via N-day exploits).  
  • Huawei routers (via CVE-2017-17215)  
  • Neterbit routers (custom exploit)  
  • LB-Link routers (via CVE-2023-26801)  
  • Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)  
  • PZT cameras (via CVE-2024-8956 and CVE-2024-8957)  
  • Kguard DVR  
  • Lilin DVR (via remote code execution exploits)  
  • Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)  
  • Vimar smart home devices (likely using an undisclosed vulnerability)  
  • Various 5G/LTE devices (likely via misconfigurations or weak credentials)  

Users can protect their devices by following the general recommendation to install the latest device updates from the vendor, disable remote access if not needed, and change the default admin account credentials. 

more Related articles

READ ALL