{"id":45898,"date":"2025-04-24T10:19:53","date_gmt":"2025-04-24T03:19:53","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=45898"},"modified":"2025-04-24T10:20:14","modified_gmt":"2025-04-24T03:20:14","slug":"canh-bao-viet-nam-nam-trong-tam-ngam-cua-ma-doc-rustobot","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/canh-bao-viet-nam-nam-trong-tam-ngam-cua-ma-doc-rustobot\/","title":{"rendered":"C\u1ea3nh b\u00e1o: Vi\u1ec7t Nam n\u1eb1m trong t\u1ea7m ng\u1eafm c\u1ee7a m\u00e3 \u0111\u1ed9c RustoBot"},"content":{"rendered":"<p><b>M\u00e3 \u0111\u1ed9c RustoBot \u0111ang khai th\u00e1c l\u1ed7 h\u1ed5ng tr\u00ean router TOTOLINK v\u00e0 DrayTek t\u1ea1i Vi\u1ec7t Nam, Nh\u1eadt B\u1ea3n, \u0110\u00e0i Loan, Mexico \u0111\u1ec3 t\u1ea5n c\u00f4ng DDoS v\u00e0 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n.<\/b><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"bbImage alignleft\" title=\"1745304897279.png\" src=\"https:\/\/whitehat.vn\/attachments\/1745304897279-png.16934\/\" alt=\"1745304897279.png\" width=\"808\" height=\"502\" data-url=\"\" data-zoom-target=\"1\" \/><\/p>\n<div>\u200b<\/div>\n<h2>M\u00e3 \u0111\u1ed9c nguy hi\u1ec3m m\u1edbi t\u1ea5n c\u00f4ng router TOTOLINK v\u00e0 DrayTek t\u1ea1i Vi\u1ec7t Nam\u200b<\/h2>\n<p>FortiGuard Labs v\u1eeba c\u00f4ng b\u1ed1 ph\u00e1t hi\u1ec7n chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng quy m\u00f4 l\u1edbn s\u1eed d\u1ee5ng botnet RustoBot, m\u1ed9t lo\u1ea1i m\u00e3 \u0111\u1ed9c m\u1edbi \u0111\u01b0\u1ee3c vi\u1ebft b\u1eb1ng ng\u00f4n ng\u1eef Rust \u2013 n\u1ed5i ti\u1ebfng v\u1edbi t\u00ednh an to\u00e0n b\u1ed9 nh\u1edb v\u00e0 hi\u1ec7u su\u1ea5t cao. RustoBot hi\u1ec7n \u0111ang khai th\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt tr\u00ean c\u00e1c thi\u1ebft b\u1ecb router TOTOLINK v\u00e0 DrayTek, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn h\u1ec7 th\u1ed1ng m\u1ea1ng t\u1ea1i Vi\u1ec7t Nam, Nh\u1eadt B\u1ea3n, \u0110\u00e0i Loan v\u00e0 Mexico.<\/p>\n<p><b>C\u00e1c l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng b\u1ecb khai th\u00e1c<\/b><\/p>\n<p>RustoBot t\u1ea5n c\u00f4ng v\u00e0o c\u00e1c l\u1ed7 h\u1ed5ng \u0111\u00e3 t\u1ed3n t\u1ea1i t\u1eeb l\u00e2u tr\u00ean router, bao g\u1ed3m:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">CVE-2022-26210 (qua ch\u1ee9c n\u0103ng setUpgradeFW c\u1ee7a TOTOLINK)<\/li>\n<li data-xf-list-type=\"ul\">CVE-2022-26187 (qua ch\u1ee9c n\u0103ng pingCheck c\u1ee7a TOTOLINK)<\/li>\n<li data-xf-list-type=\"ul\">CVE-2024-12987 (tr\u00ean thi\u1ebft b\u1ecb DrayTek qua \u0111\u01b0\u1eddng d\u1eabn \/cgi-bin\/mainfunction.cgi\/apmcfgupload)<\/li>\n<\/ul>\n<p>Nh\u1eefng l\u1ed7 h\u1ed5ng n\u00e0y cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n \u0111\u1ec3 m\u00e3 \u0111\u1ed9c RustoBot \u0111\u01b0\u1ee3c t\u1ea3i xu\u1ed1ng thi\u1ebft b\u1ecb qua c\u00e1c c\u00f4ng c\u1ee5 nh\u01b0 wget ho\u1eb7c tftp.<\/p>\n<h2>C\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a m\u00e3 \u0111\u1ed9c RustoBot\u200b<\/h2>\n<p>RustoBot h\u1ed7 tr\u1ee3 nhi\u1ec1u ki\u1ebfn tr\u00fac thi\u1ebft b\u1ecb ph\u1ed5 bi\u1ebfn nh\u01b0 arm5, arm6, arm7, mips, mpsl v\u00e0 x86, v\u1edbi t\u1ea3i tr\u1ecdng nh\u1eafm ch\u1ee7 y\u1ebfu v\u00e0o c\u00e1c thi\u1ebft b\u1ecb TOTOLINK d\u00f9ng ki\u1ebfn tr\u00fac mpsl.<\/p>\n<p>\u0110i\u1ec3m n\u1ed5i b\u1eadt c\u1ee7a RustoBot l\u00e0 kh\u1ea3 n\u0103ng \u1ea9n m\u00e3 \u0111\u1ed9c th\u00f4ng qua m\u00e3 h\u00f3a XOR v\u00e0 thao t\u00e1c tr\u00ean Global Offset Table (GOT), khi\u1ebfn vi\u1ec7c ph\u00e2n t\u00edch \u0111\u1ea3o ng\u01b0\u1ee3c tr\u1edf n\u00ean r\u1ea5t kh\u00f3 kh\u0103n.<\/p>\n<p>Khi \u0111\u00e3 x\u00e2m nh\u1eadp th\u00e0nh c\u00f4ng, RustoBot th\u1ef1c hi\u1ec7n 2 h\u00e0nh vi ch\u00ednh:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Li\u00ean l\u1ea1c v\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2) th\u00f4ng qua DNS-over-HTTPS (DoH)<\/li>\n<li data-xf-list-type=\"ul\">Th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5 (DDoS) theo l\u1ec7nh v\u1edbi c\u00e1c giao th\u1ee9c: Raw IP, TCP v\u00e0 UDP<\/li>\n<\/ul>\n<p>C\u1ea5u h\u00ecnh sau gi\u1ea3i m\u00e3 cho th\u1ea5y m\u00e3 \u0111\u1ed9c s\u1eed d\u1ee5ng c\u00e1c t\u00ean mi\u1ec1n nh\u01b0 dvrhelper.anondns.net tr\u1ecf v\u1ec1 \u0111\u1ecba ch\u1ec9 IP \u0111i\u1ec1u khi\u1ec3n 5.255.125.150 \u0111\u1ec3 nh\u1eadn l\u1ec7nh t\u1ea5n c\u00f4ng.<\/p>\n<h2>C\u00e1c thi\u1ebft b\u1ecb router b\u1ecb \u1ea3nh h\u01b0\u1edfng\u200b<\/h2>\n<p>Danh s\u00e1ch c\u00e1c thi\u1ebft b\u1ecb \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">TOTOLINK: N600R, A830R, A3100R, A950RG, A800R, A3000RU, A810R<\/li>\n<li data-xf-list-type=\"ul\">DrayTek: Vigor2960, Vigor300B<\/li>\n<\/ul>\n<h2>Khuy\u1ebfn c\u00e1o\u200b<\/h2>\n<p>Tr\u01b0\u1edbc di\u1ec5n bi\u1ebfn ph\u1ee9c t\u1ea1p c\u1ee7a c\u00e1c chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng nh\u1eafm v\u00e0o thi\u1ebft b\u1ecb m\u1ea1ng, \u0111\u1eb7c bi\u1ec7t l\u00e0 s\u1ef1 xu\u1ea5t hi\u1ec7n c\u1ee7a m\u00e3 \u0111\u1ed9c RustoBot, c\u00e1c t\u1ed5 ch\u1ee9c c\u1ea7n t\u0103ng c\u01b0\u1eddng bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng h\u1ea1 t\u1ea7ng m\u1ea1ng. WhiteHat khuy\u1ebfn ngh\u1ecb:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Kh\u1ea9n tr\u01b0\u01a1ng v\u00e1 c\u00e1c l\u1ed7 h\u1ed5ng \u0111\u00e3 bi\u1ebft tr\u00ean thi\u1ebft b\u1ecb m\u1ea1ng, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c l\u1ed7 h\u1ed5ng c\u00f3 m\u00e3 \u0111\u1ecbnh danh CVE \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 v\u00e0 c\u00f3 b\u1ea3n v\u00e1 t\u1eeb nh\u00e0 s\u1ea3n xu\u1ea5t.<\/li>\n<li data-xf-list-type=\"ul\">Ki\u1ec3m tra to\u00e0n b\u1ed9 thi\u1ebft b\u1ecb \u0111ang k\u1ebft n\u1ed1i Internet, r\u00e0 so\u00e1t c\u00e1c thi\u1ebft b\u1ecb c\u00f3 th\u1ec3 b\u1ecb l\u1ed9 ho\u1eb7c \u0111ang s\u1eed d\u1ee5ng firmware l\u1ed7i th\u1eddi, ch\u01b0a \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt \u0111\u00fang c\u00e1ch.<\/li>\n<li data-xf-list-type=\"ul\">Gi\u00e1m s\u00e1t l\u01b0u l\u01b0\u1ee3ng outbound m\u1ed9t c\u00e1ch ch\u1eb7t ch\u1ebd, t\u1eadp trung v\u00e0o: C\u00e1c k\u1ebft n\u1ed1i s\u1eed d\u1ee5ng DNS-over-HTTPS (DoH) ho\u1eb7c c\u00e1c h\u00e0nh vi c\u1eadp nh\u1eadt firmware b\u1ea5t th\u01b0\u1eddng kh\u00f4ng n\u1eb1m trong quy tr\u00ecnh \u0111\u01b0\u1ee3c ph\u00ea duy\u1ec7t, c\u00f3 th\u1ec3 l\u00e0 d\u1ea5u hi\u1ec7u c\u1ee7a vi\u1ec7c c\u00e0i c\u1eafm m\u00e3 \u0111\u1ed9c ho\u1eb7c chi\u1ebfm quy\u1ec1n thi\u1ebft b\u1ecb.<\/li>\n<\/ul>\n<p>Vi\u1ec7c k\u1ebft h\u1ee3p c\u00e1c bi\u1ec7n ph\u00e1p k\u1ef9 thu\u1eadt v\u1edbi quy tr\u00ecnh ki\u1ec3m so\u00e1t thay \u0111\u1ed5i r\u00f5 r\u00e0ng s\u1ebd gi\u00fap gi\u1ea3m thi\u1ec3u nguy c\u01a1 b\u1ecb khai th\u00e1c, \u0111\u1ed3ng th\u1eddi n\u00e2ng cao kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n s\u1edbm c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng m\u1ea1ng hi\u1ec7n \u0111\u1ea1i.<\/p>\n<div><b><i>Theo Security Online<\/i><\/b><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u00e3 \u0111\u1ed9c RustoBot \u0111ang khai th\u00e1c l\u1ed7 h\u1ed5ng tr\u00ean router TOTOLINK v\u00e0 DrayTek t\u1ea1i Vi\u1ec7t Nam, Nh\u1eadt B\u1ea3n, \u0110\u00e0i Loan, Mexico \u0111\u1ec3 t\u1ea5n c\u00f4ng DDoS v\u00e0 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n. \u200b M\u00e3 \u0111\u1ed9c nguy hi\u1ec3m m\u1edbi t\u1ea5n c\u00f4ng router TOTOLINK v\u00e0 DrayTek t\u1ea1i Vi\u1ec7t Nam\u200b FortiGuard Labs v\u1eeba c\u00f4ng b\u1ed1 ph\u00e1t hi\u1ec7n chi\u1ebfn d\u1ecbch t\u1ea5n [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":45901,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3],"tags":[],"class_list":["post-45898","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/45898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=45898"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/45898\/revisions"}],"predecessor-version":[{"id":45902,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/45898\/revisions\/45902"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/45901"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=45898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=45898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=45898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}