Posted on 10/24/2016 12:26:19 PM PDT by MarchonDC09122009
Chinese firm admits its hacked DVRs, cameras were behind Friday's massive DDOS attack Botnets created from the Mirai malware were involved in Friday's cyber attack.
Michael Kan - IDG News Oct 23, 2016
A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.
Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.
According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage.
“Mirai is a huge disaster for the Internet of Things,” Xiongmai said in an email to IDG News Service.
“(We) have to admit that our products also suffered from hacker's break-in and illegal use.” Mirai works by enslaving IoT devices to form a massive connected network.
The devices are then used to deluge websites with requests, overloading the sites and effectively taking them offline.
Because these devices have weak default passwords and are easy to infect, Mirai has been found spreading to at least 500,000 devices, according to internet backbone provider Level 3 Communications.
Xiongmai says it patched the flaws with its products in September 2015 and its devices now ask the customer to change the default password when used for the first time.
But products running older versions of the firmware are still vulnerable.
To stop the Mirai malware, Xiongmai is advising that customers update their product’s firmware and change the default username and passwords to them.
Customers can also disconnect the products from the internet.
Botnets created from the Mirai malware were at least partly responsible for Friday's massive internet disruption...
(Excerpt) Read more at pcworld.com ...
Notice how the big push to give us all smart meters has gone REEEEEEEAL quiet??
whaaaaaat?
Chinese internet products causing security issues?
Say it’s not so!!!!
Why are we nor bombing this gang off the face of the earth?
Chinese IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers — Krebs on Security
Brian Krebs
Oct 16
IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.
iotstuf
Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.
In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”
As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.
In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.
The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.
In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.
“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”
“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”
At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.
“Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”
Regarding the default user name/password that ships with XM, “our devices are asking customers to change the default password when they first time to login,” the electronics maker wrote. “When customer power on the devices, the first step, is change the default password.”
I’m working with some researchers who are testing XM’s claims, and will post an update here if and when that research is available. In the meantime, the Chinese Ministry of Justice is threatening legal action against media outlets that it says are issuing “false statements” against the company.
Google’s translation of their statement reads, in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”
Xiongmail’s electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.
Xiongmail’s electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.
The statement by the Chinese Ministry of Justice doesn’t name KrebsOnSecurity per se, but instead links to a Chinese media story referencing this site under the heading, “untrue reports link.”
Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry — said the Chinese government has an ownership stake in Xiongmai and related IoT device makers including Dahua and Hikvision, and that over the past five years China’s market share in the video surveillance industry has surged.
Karas said the recent Mirai botnet attacks have created “extreme concerns about the impact of Chinese video surveillance products.” Nevertheless, the threats against those the company accuses of issuing false statements are more about saving face.
“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” Karas wrote. “We do not believe that Xiongmai or the Ministry of Justice is seriously going to sue any Western companies as this is a typical tactic to save face.
Tags: Akamai, Brian Karas, Dyn, Flashpoint, IPVM, mirai, XiongMai Technologies
Related -
Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies - The Washington Post
In January, the advisory panel warned in the public version of its report that the Pentagon is unprepared to counter a full-scale cyber-conflict. The list of compromised weapons designs is contained in a confidential version, and it was provided to The Washington Post.
Some of the weapons form the backbone of the Pentagon’s regional missile defense for Asia, Europe and the Persian Gulf. The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.
Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.
Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.
China, which is pursuing a comprehensive long-term strategy to modernize its military, is investing in ways to overcome the U.S. military advantage — and cyber-espionage is seen as a key tool in that effort, the Pentagon noted this month in a report to Congress on China. For the first time, the Pentagon specifically named the Chinese government and military as the culprit behind intrusions into government and other computer systems.
China is DELIBERATELY doing everything it can to compromise our security.
Our reliance on their manufacturing is insane!
Proof That Military Chips From China Are Infected? - Defensetech
Proof That Military Chips From China Are Infected?
TOPICS:Balance of PowerChinaCyber WarfareFuture Wars
Posted By: John Reed May 30, 2012
For years, everyone has warned that counterfeit microchips made in China and installed on American military hardware could contain viruses or secret backdoors granting the Chinese military cyber access to U.S. weapons systems. These warnings/predictions recently expanded beyond counterfeit parts, now we’re worried that any Chinese-made components could be infected. The problem was that until this week, these warnings were educated guesses and theories. Well, a scientist at Cambridge University in the United Kingdom claims to have developed a software program proving that China — and anyone else — can, and is, installing cyber backdoors on some of the world’s most secure, “military grade” microchips.
Specifically, the American-designed, Chinese-made Actel/Microsemi ProASIC3 A3P250 — commonly known as the PA3 — chip was found by Cambridge researcher, Sergei Skorobogatov, to have a backdoor, or trojan, deliberately built into it. The PA3 is what’s called a Field Reprogrammable Gate Array (FRGA); an almost blank slate of a microchip that can be programmed by its owner to perform a variety of tasks.
Most alarming is that the PA3 is considered to be one of the “most impenetrable” designs on the market. The chip is used in military “weapons, guidance, flight control, networking and communications” hardware, according to Skorobogatov’s report on his findings that was published last weekend. The PA3 is also used in civilian “nuclear power plants, power distribution, aerospace, aviation, public transport and automotive products,” according to Skorobogatov.
(In an example of just how military-grade these chips are supposed to be, the image above is actually taken from Actel/Microsemi’s promotional material for the PA3)
Basically, Chinese cyber spies can gain use the chip’s built-in malware to decipher military passcodes and gain remote access to the chip and reprogram it to do their bidding; “permitting a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself,” reads his report.
The worst part, this backdoor, installed on chips used on critical weapons systems and public infrastructure around the word, is almost impossible to remove from the chip since, well, it was built into the device during manufacturing. That mean’s you can’t just issue a software patch to repair the vulnerability.
The backdoor is close to impossible to fix on chips already deployed because, unlike software bugs in a PC Operating System, you cannot issue a patch to fix this. Instead one has to replace all the hardware which could be extremely expensive. It may simply be a matter of time before this backdoor opportunity, which has the potential to impact on many critical systems, isexploited.Having a security related backdoor on a silicon chip jeopardises any efforts of adding software level protection. This is because an attacker can use the underlying hardware to circumvent the software countermeasures.
So uh yeah, this stuff is everywhere. When people warn of the potential for widespread disruption from cyber espionage and warfare, they’re not just crying wolf. Makes you feel safe, huh?
Here’s Skorobogatov’s full report where you’ll learn how the backdoors are installed and activated.
Backdoors Embedded in DoD Microchips From China
No! It was the Russians! 17 intel agencies insisted it was the Russians!! Noooooooo!!
We are being played so bad, it’s embarrassing. Of course, China has been into hacking US systems since 1995. 20 years of this crap and finally someone in the intel universe gets a freaking clue.
To be fair, this type of vulnerablity is pervasive in the industry. It is minimum wage, minimum experience, minimum quality code that is the problem.
They were creating a Hillary polling engine and it got out of hand and she still did not get over 50%
at the time, most of the stories blamed Russia....
I wonder if they will all apologize ?
It’s time for details. Exactly what models if DVR’s and other iOT devices answered the call of the Chicom’s. What did they have in common? Can we blame Apple?
Bkmrk.
OMG, I just ordered a Samsung Smart TV. What should I do? Am I safe? Will they be able to see me looking.p at the tv? Is the sky falling?
Zactly. I was considering a Simplisafe alarm system till I learned it can be hacking into by a crook with even rudimentary electronics skills. And there’s no way to update the software. It’s a one time deal. What you buy is what you get.
My IT friend was still doing damage control Sunday
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.