One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8632164 |
| Date de publication | 2024-12-31 20:19:48 (vue: 2024-12-31 21:08:17) |
| Titre | Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access |
| Texte | ## Snapshot A post-authentication vulnerability in Chinese-manufactured Four-Faith industrial routers, identified as [CVE-2024-12856](https://security.microsoft.com/intel-explorer/cves/CVE-2024-12856/), is being exploited in the wild to execute unauthenticated remote command injections. ## Description This flaw is being leveraged by attackers using the router\'s default credentials to gain remote access, possibly affecting Four-Faith customers in various sectors including industrial automation, factories and manufacturing plants, power grids, renewable energy plants, water utilities, and transportation and logistics for fleet management and vehicle tracking for real-time data transmission. The vulnerability, which affects at least two router models (F3x24 and F3x36), involves the exploitation of the /apply.cgi endpoint over HTTP. Furthermore, a Censys scan indicated that approximately 15,000 internet-facing devices were vulnerable to the attack. Attackers manipulate the adj\_time\_year parameter during system time modifications with the submit\_type=adjust\_sys\_time action to inject OS commands, which can be used to gain unauthorized remote access or launch reverse shells. For instance, GB Hackers documented an example of a malicious payload sent through a POST, where the running process on the vulnerable device showed the execution of the injected commands. VulnCheck has observed malicious activity from the IP address 178.215.238\[.\]91 attempting to exploit this vulnerability with a payload matching earlier patterns. DucklingStudio\'s blog post from November 2024 also confirmed the active exploitation of this vulnerability, though they saw a different payload than GB Hackers. VulnCheck informed Four-Faith about the vulnerability on December 20. ## Recommendations GB Hackers reports that organizations using Four-Faith routers are strongly encouraged to: 1. **Change Default Credentials**: Immediately update the default login credentials to secure values. 2. **Patch Systems**: Consult Four-Faith for available firmware updates or patches targeting CVE-2024-12856. 3. **Monitor Network Traffic**: Deploy the Suricata rule provided to detect ongoing exploit attempts. 4. **Segregate Networks**: Isolate industrial control systems (ICS) from external networks to reduce attack vectors. The VulnCheck Initial Access team wrote the following Suricata rule to detect CVE-2024-12856 on the wire: alert http any any -> any any ( \ msg:"VULNCHECK Four-Faith CVE-2024-12856 Exploit Attempt"; \ flow:to\_server; \ http.method; content:"POST"; \ http.uri; content:"/apply.cgi"; startswith; \ http.header\_names; content:"Authorization"; \ http.request\_body; content:"change\_action="; \ content:"adjust\_sys\_time"; \ pcre:"/adj\_time\_[^=]+=[a-zA-Z0-9]\*[^a-zA-Z0-9=]/"; \ classtype:web-application-attack; \ reference:cve,CVE-2024-12856; \ sid:12700438; rev:1;) Microsoft recommends detect critical data security risks before they evolve into real incidents through reconnaissance and vulnerability scanning to identify security weaknesses that could be used in a cyberattack. - Regularly update and patch software to protect against known vulnerabilities, using [Microsoft Defender vulnerability management dashboard](https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-dashboard-insights). Read more about how [vulnerability management](https://www.microsoft.com/en-us/security/business/security-101/what-is-vulnerability-management) works. Additionally, [integrate your Security Inform |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© **change **monitor **patch **segregate /adj /apply 000 101/what 12856 12856/ 12856; 178 2024 2024** 215 238 27179 29024 about access accessed action action= active activity additionally address adj adjust affecting affects against alert all also analyze any application approximately are attack attack; attackers attempt attempting attempts authentication authorization automation available bank bankinfosecurity before being blog body; can censys cgi change chinese classtype:web com/blog/four com/en com/four com/intel command commands confirmed consult content content: control copyright could credentials credentials**: critical customers cve cyberattack dashboard data december default defender deploy description detect device devices different distribution documented ducklingstudio during earlier encouraged endpoint energy event evolve example execute execution exploit exploitation exploited explorer/cves/cve external f3x24 f3x36 facing factories faith firmware flaw fleet flow:to following four from furthermore gain grids hackers has header helps how http https://gbhackers https://learn https://security https://vulncheck https://www ics identified identify immediately incidents including indicated industrial info information informed initial inject injected injections insights instance integrate internet involves isolate known launch least leveraged login logistics malicious management management/tvm manipulate manufactured manufacturing matching method; microsoft models modifications more msg: names; network networks networks**: new november observed ongoing organizations over parameter part patch patches patterns payload pcre: permission plants possibly post power process prohibited protect provided read real recommendations recommends reconnaissance reduce reference:cve references regularly remote renewable reports reproduction request reserved rev:1; reverse rights risks router routers rule running saw scan scanning sectors secure security sent server; shells showed sid:12700438; siem site snapshot software startswith; strongly submit suricata sys system systems**: systems targeting team than thereof the vulncheck though through time to: tools tracking traffic**: transmission transportation two type=adjust unauthenticated unauthorized update updates uri; us/defender us/security/business/security used using utilities values various vectors vehicle vulncheck vulnerabilities vulnerability vulnerability/ vulnerable water weaknesses where which wild wire: without works written wrote xdr xdr/configure year your |
| Tags | Tool Vulnerability Threat Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.