The Cereals Botnet

Botconf 2019
2023-04-24 | 11:15 – 11:55

Robert Neumann 🗣 | Gergely Eberhardt 🗣

A new under-the-radar botnet targeting Network Access Storage (NAS) and Network Video Recorder (NVR) devices, has been discovered. The botnet originates back to 2013, uses a known vulnerability for infection, and is still active as of today. Our research shows that it is infecting a range of devices from a well-known vendor in the consumer software space, however these devices are so popular that compromised examples can be found in both small businesses and governments alike. What makes this botnet unique is the way that it was built from stock components with only very few custom-built binaries; the separation of its subnets; and the way host nodes communicate with the C2. Years later the vendor fixed the targeted vulnerability, however, a large chunk of infected nodes’ firmware has either never been updated or the devices have not been restarted in years.

Slides Icon

Scroll to Top