SonicWall Specialists warned about the wave of an attack on smart access control systems in buildings, which the attackers then use to organize DDoS attacks.
Researchers explain that attacks target Linear eMerge E3 devices manufactured by Nortek Security & Control. These are the so-called "hardware access control" that are installed in offices, factories and so on. Their main goal is to control which doors and rooms employees and visitors can access based on their credentials (access codes) and smart cards.
Back in May last year, experts from Applied Risk revealed details about ten vulnerabilities affecting Linear eMerge E3 devices. Although six out of ten problems received 9.8 out of 10 maximum points on the CVSS3 scale, the developers did not release fixes for these bugs. As a result, having waited enough time, in November 2019, specialists of Applied Risk published PoC exploits in open access.
Now, SonicWall researchers have warned that hackers are looking for vulnerable Linear eMerge E3 devices and exploiting one of ten previously found vulnerabilities against them: CVE-2019-7256 . This problem is described as a bug that allows team injections, and it was one of two vulnerabilities that received 10 out of 10 points on the CVSS3 scale. This means that the bug can be used remotely, even by low-skilled attackers who do not have deep technical knowledge.
SonicWall explains that an unauthenticated remote attacker could use the problem to execute arbitrary commands in the application context through a specially crafted HTTP request. Currently, hackers are using a bug to take control of devices, download and install malvari, and subsequent DDoS attacks. According to SonicWall, about 2375 vulnerable devices are available on the network, based on Shodan statistics.
The first attacks were recorded on January 9, 2020, and were noticed by Bad Packets, and they have continued since then.
CVE-2019-7256 is actively being exploited by DDoS botnet operators.
– Bad Packets Report (@bad_packets) January 10, 2020
Researchers also warn that in addition to DDoS attacks, vulnerable devices can also be used as entry points into internal networks of organizations. System administrators are strongly advised to disconnect vulnerable devices from the Internet or restrict access to them using a firewall and VPN.