CyberSecurity news
FlagThis - #iot
|
Kirsten Doyle@informationsecuritybuzz.com
//
References:
Information Security Buzz
, Davey Winder
,
Millions of RSA encryption keys are vulnerable to attack due to a significant security flaw. New research indicates that roughly 1 in 172 online certificates are susceptible to compromise via a mathematical attack. This vulnerability primarily affects Internet of Things (IoT) devices, but it can pose a risk to any system utilizing improperly generated RSA keys. The root cause lies in poor random number generation during the key creation process.
The flaw occurs because keys sometimes share prime factors with other keys. If two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD). According to researchers, with modest resources, hundreds of millions of RSA keys used to protect real-world internet traffic can be obtained. Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates can be compromised within days. Recommended read:
References :
@borncity.com
//
A series of security vulnerabilities has been uncovered in the widely used ESP32 microchip, a product of Chinese company Espressif Systems. This chip, found in over a billion devices as of 2023, is commonly utilized for Wi-Fi and Bluetooth connectivity in numerous IoT devices. Researchers at Tarlogic Security have detected undocumented commands within the ESP32's Bluetooth firmware, potentially creating a backdoor that could be exploited for cyberattacks. These hidden manufacturer-specific commands, identified as opcode 0x3F, enable low-level control over Bluetooth functions.
These vulnerabilities pose significant risks, potentially allowing malicious actors to impersonate known devices, even in offline mode. This could lead to the infection of sensitive devices like cell phones, computers, smart locks, and medical equipment, bypassing existing code audit controls. By exploiting these undocumented commands, attackers could gain unauthorized access to confidential information stored on these devices, enabling the spying on personal and business conversations. The potential for remote code execution via wireless interfaces makes this a high-severity issue. Recommended read:
References :
MSSP Alert@MSSP feed for Latest
//
Multiple Mirai-based botnets have been actively exploiting a zero-day vulnerability, tracked as CVE-2025-1316, in Edimax IP cameras for nearly a year. The attacks targeting these vulnerable cameras began around May of last year, with intrusions observed by security researchers. While initial exploitation occurred in May, there was a pause before a resurgence in activity in September and again from January to February.
The attackers are leveraging default credentials on the Edimax devices to deploy the Mirai malware. A proof-of-concept exploit has been available since June 2023, suggesting possible earlier attack attempts. Edimax disclosed that a patch for the zero-day is not possible, because the affected IP cameras have reached end-of-life over 10 years ago and the source code and development environment are no longer available. Therefore, organizations are urged to ensure they are using up-to-date software and firmware on their devices to prevent botnet compromise. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.
Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware. Recommended read:
References :
Matan Mittelman@Cato Networks
//
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.
This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets. Recommended read:
References :
CISO2CISO Editor 2@ciso2ciso.com
//
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.
The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security. Recommended read:
References :
|