Analysis Summary

According to recent discoveries, a high-severity vulnerability affecting specific Four-Faith industrial routers has been actively exploited in the wild. The vulnerability has been identified as an operating system (OS) command injection problem that affects router models F3x24 and F3x36. It is tracked as CVE-2024-12856 (CVSS score: 7.2).

The vulnerability is less serious because it only functions if the remote attacker can properly authenticate themselves. On the other hand, unauthenticated OS command execution may occur if the routers' default credentials have not been modified. Using the router's default credentials, the unknown threat actors exploited CVE-2024-12856 and launched a reverse shell for persistent remote access in the attack described by researchers.

The IP address 178.215.238[.]91, linked to attacks aiming to weaponize CVE-2019-12168, another remote code execution vulnerability affecting Four-Faith routers, was the source of the exploitation attempt. As recently as December 19, 2024, attempts to exploit CVE-2019-12168 were noted. The /apply.cgi endpoint on HTTP can be used to launch the attack against the Four-Faith F3x24 and F3x36 at the very least. When adjusting the device's system time using submit_type=adjust_sys_time, the systems are susceptible to OS command injection in the adj_time_year argument.

More than 15,000 devices are connected to the internet. According to some evidence, attacks taking advantage of the vulnerability may have been going on since at least early November 2024. There are a few attackers, but they seem to be spamming the entire internet (at a very low rate), according to the researchers, who also stated that the attacks are not widespread. In the end, a payload resembling Mirai was downloaded. Patch availability is yet unknown, despite researchers’ statement that on December 20, 2024, they responsibly notified the vulnerability to the Chinese company.

Impact

• Command Execution
• Unauthorized Access

Indicators of Compromise

IP

• 178.215.238.91

Remediation

• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.