Cybersecurity researchers have recently revealed a new round of attacks that target a number of vulnerabilities and deliver Mirai versions inside the compromised systems.
The malicious actors behind these attacks attempt to download a malicious shell script that includes further infections like brute-forces and Mirai variants which get incorporated into the system as soon as it gets compromised.
Here is a list of some of the vulnerabilities that are being actively exploited in the ongoing attacks:
- VisualDoor — a remote injection flaw in SonicWall SSL-VPN
- CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) flaw.
- CVE-2021-27561 and CVE-2021-27562 – Yealink Device Management vulnerabilities that enable non-authenticated attackers to execute arbiter-like server commands with root privileges.
- CVE-2021-22502 – an RCE vulnerability in Micro Focus Operation Bridge Reporter (OBR), impacting version 10.40.
- CVE-2019-19356 – an exploit in Netis WF2419 wireless router RCE.
- CVE-2020-26919 – a vulnerability in Netgear ProSAFE Plus RCE.
The attacks on the above-described vulnerabilities have been recorded in the period between 16th of February and 13th of March.
Regardless of which vulnerability exactly is exploited, all the attacks follow a specific agenda. First, a wget utility downloads a shell script from the malware infrastructure. That shell script then fetches Mirai binaries – a well-known malware that transforms networked IoT Linux devices into remote bots, which can be used as part of a large-scale botnet attack. In addition to installing Mirai, additional shell scripts that allow brute force attacks are detected in the systems after the compromise.
The IoT field remains an easy target for attackers since there are many flaws that could be readily exploited and may have disastrous effects in certain situations.
In related research, security experts have detected a new Mirai-based botnet, named ZHtrap, that uses a honeypot to attack more victims. According to the information that is available, this new botnet seems to have similar features to a DDoS botnet named Matryosh.
The ZHtrap botnet incorporates a scanning IP collection module for collecting IP addresses which are later used as targets for more malware distribution. It does this by listening to 23 ports and recording IPs connecting to these ports, and then inspecting them for the weaknesses listed below in order to inject a malicious payload:
- MVPower DVR Shell unauthenticated RCE
- Netgear DGN1000 Setup.cgi unauthenticated RCE
- CCTV DVR RCEaffecting multiple vendors, and
- Realtek SDK miniigd SOAP command execution(CVE-2014-8361)
Researchers explain that the ability of ZHtrap to transform compromised computers into honeypots is a “interesting” advancement in botnets that helps them find more targets. Attacks of this threat have been recorded since 28th of February this year.