A newly discovered botnet, dubbed RondoDox, is raising alarms across the cybersecurity community due to its sophisticated exploitation of vulnerabilities in TBK digital video recorders (DVRs) and Four-Faith routers. By targeting these often-overlooked devices, RondoDox is able to conscript large numbers of endpoints into its network, using them to launch powerful distributed denial-of-service (DDoS) attacks. Researchers say the botnet’s advanced evasion techniques and destructive persistence mechanisms mark a significant escalation in the threat landscape for IoT and networked device security.
Technical Details
Targeted Vulnerabilities
RondoDox leverages two critical vulnerabilities:
- CVE-2024-3721 (TBK DVRs): This command injection vulnerability affects TBK DVR-4104 and DVR-4216 models, allowing unauthenticated attackers to execute arbitrary commands via crafted HTTP requests.
- CVE-2024-12856 (Four-Faith Routers): This OS command injection flaw in the apply.cgi interface impacts Four-Faith F3x24 and F3x36 routers, enabling remote code execution.
These vulnerabilities are prevalent in devices deployed across retail, warehousing, and small office environments (places where security updates are often neglected).
Attack Chain
The RondoDox infection process is both thorough and stealthy:
- Initial Access: Attackers exploit the aforementioned vulnerabilities to gain remote access.
- Payload Deployment: The botnet uses shell scripts to download its payload, carefully selecting writable directories and erasing system logs to evade detection.
- Persistence: RondoDox modifies startup files (such as
/etc/rcSand crontab) and creates symbolic links, ensuring it survives device reboots. Configuration files are obfuscated using XOR encoding. - Destructive Actions: The malware renames essential system binaries (e.g.,
iptables,passwd,shutdown) to random strings, severely hindering recovery efforts. - Anti-Forensics: It scans for and terminates processes associated with forensic analysis or competing malware, such as Wireshark, gdb, tcpdump, and xmrig.
- Command and Control: Infected devices connect to a remote command-and-control server to receive instructions and participate in coordinated attacks.
DDoS and Evasion Capabilities
RondoDox is equipped to launch DDoS attacks using HTTP, UDP, and TCP protocols. To avoid detection, it disguises its malicious traffic as legitimate gaming or VPN traffic, mimicking patterns from services like Minecraft, Discord, Valve, Fortnite, and OpenVPN. The malware supports a wide range of Linux architectures, including ARM, MIPS, x86-64, and PowerPC, maximizing its potential reach.
Impact
The destructive nature of RondoDox poses significant risks:
- Device Disruption: By disabling or renaming critical system binaries, the malware can render devices nearly unrecoverable without a full system reimage.
- Network Security: Its ability to mimic legitimate traffic complicates detection and mitigation, increasing the likelihood of successful DDoS attacks.
- Critical Infrastructure: Many affected devices are used in surveillance and industrial control systems, meaning their compromise can disrupt operations in sectors such as energy, water, transportation, and telecommunications.
Mitigation Strategies
To defend against RondoDox, organizations should:
- Apply Firmware Updates: Immediately patch TBK DVRs and Four-Faith routers with the latest security updates.
- Restrict Remote Access: Limit or disable remote access to vulnerable devices, especially if patches are unavailable.
- Monitor for Anomalies: Deploy file integrity monitoring, endpoint detection and response (EDR), and behavior-based security tools.
- Implement Network Segmentation: Isolate at-risk devices from critical network segments to minimize potential damage.
