New Ttint IoT botnet caught exploiting two zero-days in Tenda routers



Image via Tenda website

For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.

Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.

But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.

It didn’t just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router’s firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.

“Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure […] that that moves around. This botnet does not seem to be a very typical player,” Netlab said on Friday.

Two zero-days, neither patched

According to the company’s report, the botnet appears to have been deployed last year, in November 2019, when Netlab said it detected Ttint abusing its first Tenda zero-day to take over vulnerable routers.

The botnet continued to exploit this zero-day (tracked as CVE-2020-10987) until July 2020, when Sanjana Sarda, a Junior Security Analyst at Independent Security Evaluators, published a detailed report about the vulnerability and four others.

Tenda didn’t release a firmware patch to address Sarda’s findings, but Ttint operators didn’t wait around to find out if the vendor was going to patch its bug later on.

Just a few weeks later, Netlab said it detected Ttint abusing a second zero-day in the same Tenda routers.


Image: Netlab

Netlab didn’t publish details about this zero-day, fearing that other botnets would start