• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Sunhillo SureLine Command Injection Attack

Released: Apr 09, 2024

Updated: Apr 10, 2024

Download PDF »

Sunhillo SureLine Attack

High Severity

OT/ICS Type

Watch Video

Surveillance application actively targeted

The attack on Sunhillo SureLine identified as CVE-2021-36380 allows a malicious actor to exploit an unauthenticated OS Command Injection vulnerability. Once established, the attacker can gain command over the targeted system and potentially achieving full system compromise. Learn More »

Common Vulnerabilities and Exposures

CVE-2021-36380

Background

The Sunhillo products handles the surveillance data distribution systems for the Federal Aviation Administration, US Military, civil aviation authorities, and national defense organizations.

Threat Radar Overall Score:
CVSS Rating 9.0
FortiRecon Score 90/100
Known Exploited Yes
Exploit Prediction Score 97.51%
FortiGuard Telemetry 10753

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


The vulnerability exists in the Sureline software due to improper input validation in the "ipAddr" and "dnsAddr" parameters. That allows an attacker to manipulate the resulting command by injecting valid OS command input allowing the establishment of an interactive remote shell session.

Since October 2023, the FortiGuard has protection coverage against the vulnerability. Exploitation attempts has been intercepting attack attempts averaging at a thousand per day. Also, the Mirai malware are used as a payload for further infiltration. It is recommended to apply a firmware patch as recommended by the vendor to fully mitigate any risks.


Apr 10, 2024: A video walkthrough has been added to the Outbreak Alert.

Apr 9, 2024: FortiGuard published an Outbreak Alert for the Sunhillo SureLine Command Injection Attack.

Mar 5, 2024: CISA has added CVE-2021-36380 to the Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Oct 30, 2023: Fortinet published an IPS signatures to protect its customers from attack attempt.

Oct 09, 2023: FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign targeted Sunhillo SureLine and released a detailed analysis.
https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

July 22, 2021: Sunhillo published the security bulletin and a patch notice. https://www.sunhillo.com/fb011/

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
212.192.241.72 ip Active
212.192.241.72:80 ip Active
2.56.59.215 ip Active
2.56.59.215:80 ip Active
194.180.48.100 ip Active
194.180.48.100:80 ip Active
0aa9836174f231074d4d55c819f6f1570a24bc3ed4d9dd5... file Active
34628bcfc40218095c65678b52ce13cea4904ce966d0fd4... file Active
737ba9e84b5166134d491193be3305afa273733c35c0281... file Active
7b9dce89619c16ac7d2e128749ad92444fe33654792a8b9... file Active
8d07f15dd7d055b16d50cb271995b768fdd3ca6be121f6a... file Active
afc176f7b692a5ff93c7c66eee4941acf1b886ee9f4c070... file Active
b523ea86ebfd666153078593476ca9bd069d6f37fa7846a... file Active
b5daf57827ced323a39261a7e19f5551071b5095f0973f1... file Active
df9ee47c783fbe8c3301ed519033fc92b05d7fd272d35c6... file Active
1e15d7cd0b4682a86620b3046548bdf3f39c969324a8575... file Active
c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e... file Active
http://194.180.48.100/ url Active
http://194.180.48.100/bins/dark.86_64 url Active
http://194.180.48.100/bins/dark.arm4 url Active
http://194.180.48.100/bins/dark.arm5 url Active
http://194.180.48.100/bins/dark.arm6 url Active
http://194.180.48.100/bins/dark.arm7 url Active
http://194.180.48.100/bins/dark.i486 url Active
http://194.180.48.100/bins/dark.i686 url Active
http://194.180.48.100/bins/dark.m68k url Active
http://194.180.48.100/bins/dark.mips url Active
http://194.180.48.100/bins/dark.mpsl url Active
http://194.180.48.100/bins/dark.ppc url Active
http://194.180.48.100/bins/dark.sh4 url Active
http://194.180.48.100/bins/dark.x86 url Active
https://194.180.48.100/l.sh url Active

References

Sources of information in support and relation to this Outbreak and vendor.


Security Affairs

Learn More »
Data breach Today

Learn More »
About FortiGuard Outbreak Alerts

Learn More »