Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features

guest · Oct 4, 2020

New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
...tools-like (RAT) features, rarely seen in these types of botnets before
October 4, 2020
https://www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers/

For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.

Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.
But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.
Click to expand...

It didn't just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router's firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.

"Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure [...] that that moves around. This botnet does not seem to be a very typical player," Netlab said on Friday.
Click to expand...

TWO ZERO-DAYS, NEITHER PATCHED
The botnet continued to exploit this zero-day (tracked as CVE-2020-10987) until July 2020, when Sanjana Sarda, a Junior Security Analyst at Independent Security Evaluators, published a detailed report about the vulnerability and four others.

Netlab said that any Tenda router running a firmware version between AC9 to AC18 are to be considered vulnerable
Click to expand...

Under the hood, Ttint was built on Mirai, an IoT malware family that was leaked online in 2016.
Each botnet operator tried to innovate and add something different, but Ttint appears to have borrowed something from each to build a Mirai version more complex than anything before.

"Ttint could mark the beginning of the maturing of general IoT malware and broader leverage in more sophisticated campaigns," the Radware security evangelist told ZDNet.
Click to expand...

Qihoo 360 Netlab: Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities

The conventional Mirai variants normally focus on DDoS, but this variant is different. In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.

Two zero days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure IP that that moves around. This botnet does not seem to be a very typical player.
Click to expand...

Log in or Sign up

Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features

guest Guest

Log in or Sign up

Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features

guest Guest

Useful Searches