Botnets built from the Mirai codebase continue to wreak havoc in the tech arena, with attackers taking advantage of lax IoT device and device security in widespread attacks.
Computers and other connected devices, including IoT and NAS storage, are compromised through weak credentials, vulnerabilities, exploit kits, and other security weaknesses.
These systems join a network of devices that can be commanded to perform malicious activities.
Types of attacks commonly associated with botnets are the launching of Distributed Denial of Service (DDoS) attacks, brute force attacks leading to information theft and deployment of ransomware, and the installation of malware mining software. cryptocurrencies on vulnerable servers exposed on the internet.
Mirai’s Legacy
Arguably the best-known of these botnets is Mirai, which debuted with catastrophic DDoS attacks in 2016 against DNS provider Dyn and the website of cybersecurity expert and journalist Brian Krebs.
Mirai’s source code was later released online, paving the way for the creation of variants including Okiru, Satori, and Masuta.
Despite the age of the original botnet, the use of its code in mutated versions means that Mirai still poses a risk to organizations.
On Tuesday, Intel 471 released a new report on fracking Mirai into new forms and reports an upsurge in attacks in the 2020s and 2021s against devices connected through variants of this botnet.
“Malicious actors have seized the opportunity to not only create large botnets, but also to steal confidential data from connected devices linked to compromised organizations, and potentially sell it in underground markets,” the researchers say.
As the number of connected objects is expected to reach around 30.9 billion by 2025, the team expects the threat – and overall power – of these botnets to only grow.
Currently, Gafgyt and Mirai, as well as multiple botnets based on Mirai’s code, such as BotenaGo, Echobot, Loli, Moonet, and Mozi, are used to target devices primarily based in Europe and North America.
Malicious actors commonly use the vulnerabilities below in exploit kits to compromise IoT devices and increase the power of their networks:
- CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071: Information leaks in Sierra Wireless AirLink (ES450 FW version 4.9.3).
- CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, and CVE-2019-12264: DoS vulnerabilities in Wind River Systems VxWorks RTOS.
- CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263: Memory corruption faults in the VxWorks RTOS.
- CVE-2021-28372: Authentication bypass bug in ThroughTek Kalay P2P SDK (versions 3.1.5 and earlier).
- CVE-2021-31251: Improper authentication issue in Chiyu Technology firmware.
Log4Shell in the arsenal
An Akamai researcher has discovered an attempt to use Log4J vulnerabilities targeting ZyXEL network equipment to “infect and aid in the proliferation of malware used by the Mirai botnet”.
Larry Cashdollar, a member of Akamai Technologies’ security incident response team, explains that Zyxel may have been specifically targeted because the company published a blog post indicating that it was affected by the Log4J vulnerability.
“The first sample I looked at contained functions to scan for other vulnerable devices. All devices or software frameworks listed in the features below are vulnerable to remote code execution,” he wrote.
“The second sample […] no longer contained the above exploit functions, but contained Mirai’s standard attack functions. It appears that the above attack vectors have been removed in favor of Log4j exploitation. Based on the names of the attack functions and their instructions, I believe this sample is part of the Mirai malware family. »
One of the interesting things about this malware is that “if you have automatic string extraction utilities for malware samples that connect to a vulnerable Log4j instance, this payload could run.”
“By doing so, you could possibly, depending on your configuration, infect your malware scanning system. Again, patching your vulnerable systems is key to protecting your servers from compromise,” says Larry Cashdollar.
Zyxel has released a security advisory on the issue. The company is aware of the vulnerability and says it only affects the NetAtlas Element Management System product line.
“After further investigation, we have identified a single vulnerable product that is within its warranty and support period, and we will release a patch to resolve the issue, as listed in the table below,” they wrote.
Zyxel says a temporary protection method was released on December 20 and urged people who need it to contact them for the file. A fix will be available by the end of February.
Source: ZDNet.com