Lian granot & Dean Zavadski
February 6, 2022
In that blogpost you will find a demo of Sternum’s runtime protection deployed with a single click on a device vulnerable to BotenaGo (CVE-2020-9054) - The Zyxel NAS326, and acting as an active mitigation against the exploitation.
The BotenaGo malware exploits different vulnerabilities in leading routers and IoT devices.
Many of the vulnerabilities exploited by BotenaGo are command injection vulnerabilities, which is part of the 2021 CWE Top 25 most Dangerous Software Weaknesses, and here it strikes again.
Complete analysis of the vulnerabilities can be found here.
On January 27, it was published that themalware’s source code is publicly available on github, enabling anyone to exploit devices in the wild, since many of them remain unpatched and vulnerable.
In fact, in some cases even patching didn’t help. Zyxel devices, for example, remained vulnerable even after an official patch release.
It seems that staying up-to-date is a difficult, time-consuming and costly task for IoT devices, which leaves them vulnerable not only to zero-day attacks, but also to very well known and old 1-day vulnerabilities. But, what if instead of continuously chasing vulnerabilities and manually patching them,we simply prevented the ability to exploit them? In the following blog post, we will explore this concept via the BotenaGo command injection vulnerabilities.
Sternum unique Exploitation Fingerprints patented technology targets the distinctive characteristics of vulnerability exploitation, including but not limited to command injection vulnerabilities, and prevents it in real time. Exploitation Fingerprints enable Sternum to disarm even the most sophisticated attackers at the moment they strike and make your device immune to both known and unknown threats.
We took a stamp in demonstrating Sternum Exploitation Fingerprint™ in action against the BotenaGo malware.
BotenaGo Protection Demonstration:
We performed the following steps:
- Downloaded a vulnerable firmware the Zyxel NAS326.
- Downloaded BotenaGo’s publicly available source code and used one of the exploits published as part of the source code against the Zexel device.
Public exploit used:
- Quickly applied Sternum’s protection into the device, without patching the vulnerabilities, and tried to exploit the device again using the same vulnerability and exploitation. Sternum’s protection prevents command injection exploitations in a generic way, rather than applying a patch or protection for each one.
What happens next on Sternum’s cloud platform is waiting for you in the video.
Sternum provides your IoT device a holistic long-term protection -keeping it safe from coding mistakes, third party bugs, and top known and unknown vulnerabilities in advance. After successfully preventing top recent IoT attacks such as Ripple20, #BrakTooth, Amnesia:33 and more, we’re proud once again to be able to provide peace-of-mind to our customers against BotenaGo.