ACSC Cyber Information update
Summary
The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that People’s Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity. The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks.
Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices part in the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia.
While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors.
FBI, CNMF, NSA, and allied partners are releasing this Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. Network defenders are advised to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors’ botnet activity. Cyber security companies can also leverage the information in this advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide.
More information
Any of the devices mentioned below may be affected. Ensure that the software of these products are up to date. If a product is deemed end-of-life by the vendor, replace it with a new one.
For Australia please pay specific attention to the home routers from Telstra, D-link, Netgate and Netgear. Also for small/medium businesses who have adopted the Cisco Small Business routers, ensure these are running the latest firmware.
| CVE | Vendor | Product | Versions affected | Vulnerability type |
|---|---|---|---|---|
| CVE-2024-5217 | ServiceNow | Now Platform | Washington DC, Vancouver, and earlier Now Platform releases | RCE |
| CVE-2024-4577 | PHP Group | PHP | PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows | OS command injection |
| CVE-2024-29973 | Zyxel | NAS326NAS542 | NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 | OS command injection |
| CVE-2024-29269 | Telesquare | TLR-2005Ksh | 1.0.0 and 1.1.4 | Arbitrary system commands |
| CVE-2024-21762 | Fortinet | FortiOS | FortiOS 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, | RCE |
| FortiProxy | FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 | |||
| CVE-2023-50386 | Apache | Solr | 6.0.0 through 8.11.2, 9.0.0 before 9.4.1 | Unrestricted file upload |
| CVE-2023-47218 | QNAP | QTS QuTS hero QuTScloud | QTS 5.1.x before 5.1.5.2645 build 20240116, QuTS hero h5.1.x before h5.1.5.2647 build 20240118, QuTScloud c5.x before c5.1.5.2651 | OS command injection |
| CVE-2023-46747 | F5 | F5 Big-IP | Big-IP (all modules) 17.1.0-17.1., 16.1.0-16.1.4, 15.1.0-15.1.10, 14.1.0-14.1.5,13.1.0-13.1.5 | Authentication bypass |
| CVE-2023-46604 | Apache | Apache ActiveMQ | before 5.15.16, 5.16.7, 5.17.6, or 5.18.3 | RCE |
| CVE-2023-43478 | Telstra | Smart Modem Gen 2 | Firmware versions before 0.18.15r | Code execution as root |
| CVE-2023-4166 | Tongda OA | Tongda2000 | 11.10 | SQL injection |
| CVE-2023-38646 | Metabase | Metabase and Metabase Enterprise | Metabase before 0.46.6.1, Metabase Enterprise before 1.46.6.1 | Arbitrary command execution |
| CVE-2023-3852 | OpenRapid | Yuque RapidCMS | Up to version 1.3.1 | Arbitrary file upload |
| CVE-2023-38035 | Ivanti | MobileIron Sentry (MICS Admin Portal) | 9.18.0 and below | Authentication bypass |
| CVE-2023-37582 | Apache | RocketMQ | 5.1.1 | Remote command execution |
| CVE-2023-36844 | Juniper | Juniper Junos | 20.4, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 | PHP external variable modification |
| CVE-2023-36542 | Apache | Apache NiFi | 0.0.2 through 1.22.0 | Code injection |
| CVE-2023-35885 | CloudPanel | CloudPanel 2 | before 2.3.1 | Insecure file-manager cookie authentication |
| CVE-2023-35843 | NocoDB | NocoDB | Through 0.106.0 (or 0.109.1) | Path traversal |
| CVE-2023-3519 | Citrix | Netscaler Gateway, Application Delivery Controller (ADC) | 12.1-NDcPP before 55.297, 12.1-FIPS before 55.297, 13.1-FIPS before 37.159, 13.0 before 91.13, 13.1 before 49.13 | Unauthenticated remote code execution |
| CVE-2023-35081 | Ivanti | Endpoint Manager Mobile (EPMM) | 11.10x<11.10.0.3, 11.9x<11.91.2, and 11.8<11.8.12 | Path traversal |
| CVE-2023-34960 | Chamilo | Chamilo | v1.11.* up to v1.11.18 | Command injection |
| CVE-2023-34598 | Gibbonedu | Gibbon | 25.0.00 | Local File Inclusion (LFI) vulnerability |
| CVE-2023-3368 | Chamilo | Chamilo LMS | <= v1.11.20 | Command injection leading to remote code execution (RCE) Bypass of CVE-2023-34960 |
| CVE-2023-33510 | WordPress | Jeecg P3 Bix Chat | Jeecg P3 Biz Chat Project Jeecg P3 Biz Chat 1.0.5 | Allows remote attackers to read arbitrary files |
| CVE-2023-30799 | MikroTik | MikroTik RouterOS | Stable before 6.49.7 and long-term through 6.48.6 | Privilege escalation |
| CVE-2023-28771 | Zyxel | ZyWALL/USG series | ZyWALL/USG ZLD 4.60 to 4.73, VPN ZLD 4.60 to 5.35, USG FLEX ZLD 4.60 to 5.35, ATP ZLD 4.60 to 5.35 | OS command injection |
| CVE-2023-28365 | Ubiquiti | UI UniFi | 7.3.83 and earlier | Backup file vulnerability |
| CVE-2023-27997 | Fortinet | FortiOS | FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below | Buffer overflow |
| FortiProxy | FortiProxy 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, 1.2 all versions, 1.1 all versions | |||
| CVE-2023-27524 | Apache | Apache Superset | Versions up to and including 2.0.1. | Authenticate and access unauthorized resources |
| CVE-2023-26469 | Jorani | Jorani | 1.0.0 | Path traversal to RCE |
| CVE-2023-25690 | Apache | Apache HTTP Server | 2.4.0 through 2.4.55 | HTTP request smuggling |
| CVE-2023-24229 | DrayTek | Vigor2960 | Firmware v1.5.1.4 No longer supported by maintainer | Command injection |
| CVE-2023-23333 | Contec | SolarView Compact | Firmware through 6.00 | Command injection |
| CVE-2023-22527 | Confluence | Data Center and Server | < 8.5.5 (LTS) < 8.7.2 (Data Center Only) | Template injection leading to RCE |
| CVE-2023-22515 | Confluence | Data Center and Server | >=8.0.0, >= 8.1.0, >=8.2.0, >=8.30 to <8.3.3, >=8.4.0 to <8.4.3, >=8.5.0 to <8.5.2 | Privilege escalation |
| CVE-2022-42475 | Fortinet | FortiOS | FortiOS SSL-VPN 7.2.0 through 7.22, 7.00 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.211, 6.0.15 and earlier | Buffer overflow |
| FortiProxy | FortiProxy SSL VPN 7.2.0 through 7.2.1, 7.0.7 and earlier. | |||
| CVE-2022-40881 | Contec | SolarView Compact | Firmware 6.00 | Command injection |
| CVE-2022-3590 | WordPress | WordPress | WordPress 4.1 | Unauthenticated blind SSRF in the pingback feature |
| CVE-2022-31814 | Netgate | pfSense pfBlockerNG | Through 2.1.4_26 | OS command injection |
| CVE-2022-30525 | Zyxel | USG FLEX, ATP, and VPN series firmware | USG FLEX 100(W)/200/500/700 ZLD 5.00 through 5.21 Patch 1, USG FLEX 50(W)/USG20(W)-VPN ZLD 5.10 through 5.21 Patch 1, ATP series ZLD 5.10 through 5.21 Patch 1, VPN series ZLD 4.60 through 5.21 Patch 1 | OS command injection |
| CVE-2022-26134 | Atlassian | Confluence Data Center | 7.18.0 | OGNL Injection |
| Confluence server | ||||
| CVE-2022-20707 | Cisco | Small Business Series Routers | RV160, RV260, RV340, and RV345 | RCE |
| CVE-2022-1388 | F5 | BIG-IP | 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, all 12.1.x and 11.6.x versions | Authentication bypass |
| CVE-2021-46422 | Telesquare | SDT-CW3B1 | 1.1.0 | OS command injection |
| CVE-2021-45511 | NETGEAR | NETGEAR | AC2100 before 2021-08-27, AC2400 before 2021-08-27, AC2600 before 2021-08-27, D7000 before 2021-08-27, R6220 before 2021-08-27, R6230 before 2021-08-27, R6260 before 2021-08-27, R6330 before 2021-08-27, R6350 before 2021-08-27, R6700v2 before 2021-08-27, R6800 before 2021-08-27, R6850 before 2021-08-27, R6900v2 before 2021-08-27, R7200 before 2021-08-27, R7350 before 2021-08-27, R7400 before 2021-08-27, R7450 before 2021-08-27 | Authentication bypass |
| CVE-2021-44228 | Apache | Log4j2 | 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) | Input validation code execution |
| CVE-2021-36260 | Hikvision | Web servers firmware | Various DS-2CD, DS-2X, DS-2DY, PTZ-N, DS-2DF, DS-2TD, IDS, DS-76, DS-71 | Command injection |
| CVE-2021-28799 | QNAP Systems Inc. | Hybrid Backup Sync (HBS) 3 | versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4 | Improper authorization |
| CVE-2021-20090 | Buffalo Arcadyan | Buffalo WSRArcadyan firmware | WSR-2533DHPL2 firmware version <= 1.02, WSR-2533DHP3 firmware version <= 1.24 | Path traversal |
| CVE-2021-1473 | Cisco | Small Business RV Series Routers | RV340/RV340W, RV345/RV345P before 1.0.03.21 | OS command injection |
| CVE-2021-1472 | Cisco | Small Business Series Routers firmware | RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P | Arbitrary code execution |
| CVE-2020-8515 | DrayTek | Vigor | Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, 1.4.4_Beta | RCE |
| CVE-2020-4450 | IBM | WebSphere Application Server | 8.5 and 9.0 traditional | Arbitrary code execution |
| CVE-2020-35391 | Tenda | Tenda F3 Firmware | Tenda F3 Firmware 12.01.01.48 | Forced browsing |
| CVE-2020-3452 | Cisco | Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software | ASA <9.6.4.42, <9.8.4.20, <9.9.2.74, <9.10.1.42, <9.12.3.12, <9.13.1.10, <9.14.1.10 FTD <6.2.3.16, <6.3.0.6, <6.4.0.10, <6.5.05, <6.6.0.1 | Path traversal |
| CVE-2020-3451 | Cisco | Small Business Series Routers Firmware | RV340W, RV340, RV345, RV345P | Multiple Security Vulnerabilities – like Buffer overflow via environment variables, server side include (SSI) injection |
| CVE-2020-15415 | DrayTek | Vigor Firmware | 3900, 2960, and 300b | Command injection |
| CVE-2019-7256 | Linear eMerge | E3-Series | Nortekcontrol Linear Emerge Essential Firmware Nortekcontrol Linear Emerge Elite Firmware | Command injection |
| CVE-2019-19824 | TOTOLINK Realtek | SDK based routers | A3002Ru through 2.0.0, A702R through 2.1.3, N301Rt through 2.16, N302R through 3.4.0, N300Rt through 3.4.0, N200Re through 4.0.0, N150Rt through 3.4.0, N100Re through 3.4.0, N302RE through 2.0.2 | OS command injection |
| CVE-2019-17621 | D-Link | DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 | DIR-818Lx Bx <=v2.05b03_Beta08, DIR-822 Bx <=v2.03b01, DIR-822 Cx <=v3.12b04, DIR-823 Ax <=v1.00b06_Beta, DIR-859 Ax <=v1.06b01Beta01, DIR-868L Ax <=v1.12b04, DIR-868L Bx <=v2.05b02, DIR-869 Ax <=v1.03b02Beta02, DIR-880L Ax <=v1.08b04, DIR-890L/R Ax <=v1.11b01_Beta01, DIR-885L/R Ax <=v1.12b05, DIR-895L/R Ax <=v1.12b10 | OS command injection related to UPnP service |
| CVE-2019-12168 | Four-Faith | Four-Faith Wireless Mobile Router F3x24 | Firmware 1.0 | RCE via command shell |
| CVE-2019-11829 | Microsoft | Windows 10 Server 2016 | Server 2016 1607 1703 | OS command injection |
| CVE-2018-18852 | Cerio | Cerio Dt-300N FirmwareCerio Dt-300n | DT-300N 1.1.6 through 1.1.12 devices | OS command injection |
| CVE-2017-7876 | QNAP | QTS | QTS 4.2.6 before build 20170517, QTS 4.3.3.0174 before build 20170503 | Command injection |
| CVE-2015-7450 | IBM | Tivoli Common Reporting | 3.1.0.2, 3.1, 3.1.2, 3.1.2.1, 2.1, 2.1.1.2, 3.1.0.1, 2.1.1, | Code injection |
See the ACSC page for more information over here.