Meet Linux.Mirai Trojan, a DDoS nightmare

https://www.hackread.com/linux-mirai-trojan-a-ddos-nightmare/

98 Comments

  1. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks
    http://www.securityweek.com/three-plead-guilty-mirai-botnet-attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

    Reply
  2. Tomi Engdahl says:

    Mirai-makers plead guilty, Hajime still lurks in shadows
    http://rethinkresearch.biz/articles/mirai-makers-plead-guilty-hajime-still-lurks-shadows/

    Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

    Reply
  3. Tomi Engdahl says:

    Mirai Variant “Satori” Targets Huawei Routers
    http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers

    Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

    The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

    Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

    Reply
  4. Tomi Engdahl says:

    From Mirai To Persirai — The Metamorphosis Of An Open Source Botnet
    https://www.incapsula.com/blog/from-mirai-to-persirai.html

    The Mirai malware has become particularly notorious for recruiting IoT devices to form botnets that have launched some of the largest DDoS attacks ever recorded. Mirai came onto the scene in late 2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date.

    The Rise of Persirai

    This brings us to Persirai, the newest version of Mirai that was also discovered last month by researchers at Trend Micro and comes equipped with even more advanced “features.” Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Persirai’s ability to leverage the previous features, plus its password stealing capability has led to a massive increase in the number of infected devices. By tracking thousands of infected IoT devices, Trend Micro discovered over half of those in the U.S. are infected, with almost two-thirds of the cameras in Japan infected.

    Persirai is on an aggressive recruitment push.

    How to Avoid Being part of a Botnet

    Additional measures to ensure IoT devices do not become unwitting members of a Persirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. Finally, scan your network with our Mirai vulnerability scanner to see if it hosts a device vulnerable to Mirai injection attacks.

    Mirai Vulnerability Scanner
    https://www.incapsula.com/mirai-scanner/

    Reply
  5. Tomi Engdahl says:

    Mirai Variant Targets ARC CPU-Based Devices
    http://www.securityweek.com/mirai-variant-targets-arc-cpu-based-devices

    A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

    Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.

    Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

    Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.

    One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn’t encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

    The researcher also explains that Okiru seems to lack the “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP that Satori has.

    Reply
  6. Tomi Engdahl says:

    Researchers Connect Lizard Squad to Mirai Botnet
    http://www.securityweek.com/researchers-connect-lizard-squad-mirai-botnet

    Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

    Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

    While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

    Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

    The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.

    Reply
  7. Tomi Engdahl says:

    Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K
    https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

    A monster distributed denial-of-service attack (DDoS) against KrebsOnSecurity.com in 2016 knocked this site offline for nearly four days. The attack was executed through a network of hacked “Internet of Things” (IoT) devices such as Internet routers, security cameras and digital video recorders. A new study that tries to measure the direct cost of that one attack for IoT device users whose machines were swept up in the assault found that it may have cost device owners a total of $323,973.75 in excess power and added bandwidth consumption.

    My bad.

    But really, none of it was my fault at all. It was mostly the fault of IoT makers for shipping cheap, poorly designed products (insecure by default), and the fault of customers who bought these IoT things and plugged them onto the Internet without changing the things’ factory settings (passwords at least.)

    The botnet that hit my site in Sept. 2016 was powered by the first version of Mirai

    Reply
  8. Tomi Engdahl says:

    Mirai botnet adds three new attacks to target IoT devices
    https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/

    This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.

    A new variant of the Mirai botnet has added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

    The new version of Mirai – a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late-2016 – has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.

    The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.

    While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.

    Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

    Reply
  9. Tomi Engdahl says:

    “Wicked” Variant of Mirai Botnet Emerges
    https://www.securityweek.com/wicked-variant-mirai-botnet-emerges

    A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

    Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

    The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

    Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

    Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

    A Wicked Family of Bots
    https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

    Reply
  10. Tomi Engdahl says:

    Something Wicked this way comes
    https://isc.sans.edu/forums/diary/Something+Wicked+this+way+comes/23681/

    The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.

    Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:

    80: Invoker Shell in compromised Web Servers
    81 – CCTV-DVR
    8443 – Netgear R7000 and R6400 (CVE-2016-6277)
    8080 – Netgear DGN1000 and DGN2200

    The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.

    After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers

    Reply
  11. Tomi Engdahl says:

    IoT Botnets Target Apache Struts, SonicWall GMS
    https://www.securityweek.com/iot-botnets-target-apache-struts-sonicwall-gms

    The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

    Reply
  12. Tomi Engdahl says:

    Garrett M. Graff / Wired:
    Court filing: US government seeks to continue FBI work with Mirai botnet hackers, who pled guilty to creating the malware last Dec., as part of their sentencing
    https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/

    Reply
  13. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/8458-fbi-palkkasi-mirai-bottinetin-kehittajat

    Pääsyylliseksi tunnistettiin Rutgersin yliopiston opiskelija Paras Jha, joka oli ladannut Mirai-lähdekoodiin Githubiin. Hänet tuomittiin 2500 tunnin yhdyskuntapalveluun. Palvelupaikka Jhalle on FBI ja tehtävänä jahdata hakkereita ja tunnistaa turvallisuusaukkoja.

    Viimeksi kesällä identifioitiin peräti 19 eri Mirai-virusta, jotka hyökkäsivät Linux-pohjaisia IoT-laitteita vastaan.

    Reply
  14. Tomi Engdahl says:

    Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks
    https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks/

    The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.

    Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.

    Reply
  15. Tomi Engdahl says:

    Mirai Evolves From IoT Devices to Linux Servers
    https://www.darkreading.com/attacks-breaches/mirai-evolves-from-iot-devices-to-linux-servers/d/d-id/1333329

    Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

    Researchers from Netscout Alert have discovered what they believe are the first non-IoT versions of Mirai malware in the wild.

    Reply
  16. Tomi Engdahl says:

    New Mirai Variant Targets Enterprise IoT Devices
    https://www.securityweek.com/new-mirai-variant-targets-enterprise-iot-devices

    A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise.

    Best known for the massive attacks on OVH and Dyn in late 2016, Mirai is a Linux malware targeting Internet of Things (IoT) devices in an attempt to ensnare them into botnets capable of launching distributed denial of service (DDoS) attacks.

    Numerous variants of the malware have emerged ever since Mirai’s source code leaked in October 2016, including Wicked, Satori, Okiru, Masuta, and others. One variant observed last year was leveraging an open-source project to become cross-platform and target multiple architectures, including ARM, MIPS, PowerPC, and x86.

    Reply
  17. Tomi Engdahl says:

    New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices
    https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

    A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

    Reply
  18. Tomi Engdahl says:

    Mirai goes Enterprise
    https://www.kaspersky.com/blog/mirai-enterprise/26032/?utm_source=facebook&utm_medium=social&utm_campaign=gl_mirai-geo_ay0073_promo&utm_content=sm-post&utm_term=gl_facebook_promo_ay0073_sm-post_social_mirai-geo

    Given that Mirai’s code is very flexible and adaptable, it can easily be rearmed with new exploits to widen its range of targets. And that is exactly what happened this time. In addition to the new set of exploits for its usual prey, such as routers, access-points, ADSL modems, and network cameras, it can now infect enterprise devices such as high-capacity, enterprise-class wireless controllers, digital signage systems, and wireless presentation systems.

    Reply
  19. Tomi Engdahl says:

    New Mirai Variant Targets More Processor Architectures
    https://www.securityweek.com/new-mirai-variant-targets-more-processor-architectures

    Targeting IoT devices in an attempt to ensnare them into a botnet capable of launching distributed denial of service (DDoS) attacks, the malware has been around since late 2016, with numerous variants observed since (such as Wicked, Satori, Okiru, Masuta, and others).

    Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.

    The newly observed Mirai samples, Palo Alto Networks reports, are compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which shows that the threat’s developers continue to innovate.

    Reply
  20. Tomi Engdahl says:

    New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
    https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/

    We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.

    This attack comes just a few weeks after we last reported on Mirai activity, when it had targeted various routers.

    Reply
  21. Tomi Engdahl says:

    Mirai Botnet Activity
    https://isc.sans.edu/forums/diary/Mirai+Botnet+Activity/26234/
    This past week, I noticed new activity from the Mirai botnet in my
    honeypot. The sample log with the IP and file associated with the
    first log appears to have been taken down (96.30.193.26) which
    appeared multiple times this week including today. . However, the last
    two logs from today are still active which is using a Bash script to
    download multiple exploits targeting various device types (MIPS,
    ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the
    User-Agent: XTC and the name viktor which appear to be linked to XTC
    IRC Botnet, aka Hoaxcalls.

    Reply
  22. Tomi Engdahl says:

    Developer of Mirai, Qbot-based DDoS botnets jailed for 13 months
    https://www.bleepingcomputer.com/news/security/developer-of-mirai-qbot-based-ddos-botnets-jailed-for-13-months/
    A 22-year-old Washington man was sentenced to 13 months in prison for
    renting and developing Mirai and Qbot-based DDoS botnets used in DDoS
    attacks against targets from all over the world.

    Reply
  23. Tomi Engdahl says:

    Mirai Botnet Exploit Weaponized to Attack IoT Devices via
    CVE-2020-5902
    https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/?
    Following the initial disclosure of two F5 BIG-IP vulnerabilities on
    the first week of July, we continued monitoring and analyzing the
    vulnerabilities and other related activities to further understand
    their severities. Based on the workaround published for CVE-2020-5902,
    we found an internet of things (IoT) Mirai botnet downloader (detected
    by Trend Micro as Trojan.SH.MIRAI.BOI) that can be added to new
    malware variants to scan for exposed Big-IP boxes for intrusion and
    deliver the malicious payload.

    Reply
  24. Tomi Engdahl says:

    Ttint Botnet Targets Zero-Day Vulnerabilities in Tenda Routers
    https://www.securityweek.com/ttint-botnet-targets-zero-day-vulnerabilities-tenda-routers

    A new Mirai-based botnet is targeting zero-day vulnerabilities in Tenda routers, according to researchers at 360 Netlab, a unit of Chinese cybersecurity company Qihoo 360.

    Dubbed Ttint, the Remote Access Trojan (RAT) contains distributed denial of service capabilities, just as any Mirai offspring does, but also implements 12 remote access functions, including a Socket5 proxy, modifying router DNS and iptables, and running system commands.

    In order to circumvent detection of typical traffic generated by Mirai botnets, Ttint uses the WSS (WebSocket over TLS) protocol for communication with the command and control (C&C) server, and also uses encryption.

    Reply
  25. Tomi Engdahl says:

    New Mirai Variant Leverages 10 Vulnerabilities to Hijack IoT Devices
    https://www.securityweek.com/new-mirai-variant-leverages-10-vulnerabilities-hijack-iot-devices

    Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal.

    Around since 2016, Mirai has had its source code leaked online, which resulted in tens of variants being released over the years, each with its own targeting capabilities.

    What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.

    On February 23, the Mirai variant was observed targeting CVE-2021-27561 and CVE-2021-27562, two vulnerabilities in the Yealink DM (Device Management) platform that had been disclosed the very same day.

    Impacting Yealink DM version 3.6.0.20 and older, the flaws (pre-auth SSRF and command injection, respectively) exist because user-provided data is not properly filtered and could be exploited to execute arbitrary commands as root, without authentication.

    On March 3, Palo Alto Networks’ security researchers noticed that the same samples were also using an exploit for CVE-2021-22502, a critical (CVSS score of 9.8) remote code execution vulnerability in Micro Focus Operations Bridge Reporter.

    Exploitable without authentication, the security bug exists because a user-supplied string isn’t properly validated when the Token parameter provided to the LogonResource endpoint is handled, allowing an attacker to execute code as root.

    Ten days later, on March 13, the samples also incorporated an exploit targeting CVE-2020-26919, a critical vulnerability (CVSS score 9.8) affecting NETGEAR JGS516PE business-grade gigabit switches. The bug is described as “lack of access control at the function level.”

    In September 2020, Netgear published an advisory for this vulnerability, advising customers to update the firmware on their devices.

    Other vulnerabilities being exploited in these attacks include a SonicWall SSL-VPN bug referred to as VisualDoor, CVE-2020-25506 (D-Link DNS-320 firewall), CVE-2020-26919 (Netgear ProSAFE Plus), and CVE-2019-19356 (Netis WF2419 wireless router). Three other security issues are also being exploited, but they haven’t been identified yet.

    Reply
  26. Tomi Engdahl says:

    The Ghosts of Mirai
    https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
    It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.

    Reply
  27. Tomi Engdahl says:

    Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance
    https://www.securityweek.com/mirai-botnet-starts-exploiting-omigod-flaw-microsoft-issues-more-guidance

    Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) management extensions.

    Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.

    An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.

    As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.

    The OMIGOD vulnerability, officially tracked as CVE-2021-38647, is the one reportedly exploited by the Mirai botnet.

    Reply
  28. Tomi Engdahl says:

    Mirai-based Botnet – Moobot Targets Hikvision Vulnerability https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability
    Last September 18th, a threat researcher released a write-up about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world.
    Hikvision is a CVE CNA and quickly assigned the CVE number,
    CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher’s disclosure. During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.

    Reply
  29. Tomi Engdahl says:

    Beastmode botnet boosts DDoS power with new router exploits https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/
    A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. Totolink is a popular electronics sub-brand belonging to Zioncom that recently released firmware updates to fix three critical-severity vulnerabilities.

    Reply
  30. Tomi Engdahl says:

    Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1
    2022
    https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
    Popular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks, Mirai malware variants have been known to compromise devices that run on Linux builds ranging from mobile and Internet of Things (IoT) devices to cloud infrastructures. According to internal and open-source data analyzed by the CrowdStrike malware research team, while the ARM CPU architecture (used in most mobile and IoT devices) remains the most prevalent among Mirai variants, the number of 32-bit x86 Mirai variants (used on Linux servers and networking equipment) increased by 120% in Q1 2022 compared to Q1 2021.

    Reply
  31. Tomi Engdahl says:

    New Linux malware brute-forces SSH servers to breach networks
    https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forces-ssh-servers-to-breach-networks/
    A new botnet called ‘RapperBot’ is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device.
    The researchers show that RapperBot is based on the Mirai trojan but deviates from the the original malware’s normal behavior, which is uncontrolled propagation to as many devices as possible.
    Instead, RapperBot is more tightly controlled, has limited DDoS capabilities, and its operation appears geared towards initial server access, likely to be used as stepping stones for lateral movement within a network.
    Over the past 1.5 months since its discovery, the new botnet used over 3,500 unique IPs worldwide to scan and attempt brute-forcing Linux SSH servers.
    Mirai-based, but different
    RapperBot proved to be a Mirai fork, but with its own command and control (C2) protocol, unique features, and atypical (for a botnet) post-compromise activity.
    “Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication,” explains the Fortinet report.
    https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery

    Reply
  32. Tomi Engdahl says:

    So RapperBot, What Ya Bruting For?
    https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
    FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as RapperBot since mid-June 2022. This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai. In addition, recent samples show that its developers have started adding code to maintain persistence, which is rarely done in other Mirai variants. This provides threat actors with continued access to infected devices via SSH even after the device is rebooted or the malware has been removed.

    Reply
  33. Tomi Engdahl says:

    Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server
    https://www.securityweek.com/mirai-botnet-launched-25-tbps-ddos-attack-against-minecraft-server

    A Mirai botnet variant has launched a distributed denial-of-service (DDoS) attack that peaked at 2.5 terabytes per second (Tbps), according to Cloudflare, which described it as the largest attack it has seen in terms of bitrate.

    The attack was aimed at a Minecraft server named Wynncraft and it involved UDP and TCP floods. However, the web security firm said it mitigated the attack, preventing it from causing any disruption to the game.

    While this may have been a record-breaking attack for Cloudflare, Microsoft last year observed an attack that peaked at 3.47 Tbps and another that reached 3.25 Tbps.

    Cloudflare this year also saw an attack reaching 26 million requests per second (RPS). The attack was noteworthy particularly for the fact that it was powered by a small botnet of only 5,000 devices. However, in terms of RPS, Google saw the biggest attack known to date, which peaked at 46 million RPS.

    “The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26M rps attack only 15 seconds,” Cloudflare explained. “This emphasizes the need for automated, always-on solutions. Security teams can’t respond quick enough. By the time the security engineer looks at the PagerDuty notification on their phone, the attack has subsided.”

    Reply
  34. Tomi Engdahl says:

    Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers
    https://isc.sans.edu/diary/Mirai+Botnet+and+Gafgyt+DDoS+Team+Up+Against+SOHO+Routers/29304
    Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. Attacks against these devices are less likely to be identified by enterprise monitoring techniques, and compromise may go unnoticed. Unwitting users then become part of attack propagation.

    Reply
  35. Tomi Engdahl says:

    Mirai Variant V3G4 Targets IoT Devices
    https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
    - From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet. The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
    The exploit attempts captured by Unit 42 researchers leverage the aforementioned vulnerabilities to spread V3G4, which targets exposed servers and networking devices running Linux

    Reply
  36. Tomi Engdahl says:

    New Mirai Variant Employs Uncommon Tactics to Distribute Malware https://www.darkreading.com/remote-workforce/new-mirai-variant-employs-uncommon-tactics-to-distribute-malware
    A new version of a Mirai variant called RapperBot is the latest example of malware using relatively uncommon or previously unknown infection vectors to try and spread widely. RapperBot first surfaced last year as Internet of Things (IoT) malware containing large chunks of Mirai source code but with some substantially different functionality compared with other Mirai variants. The differences included the use of a new protocol for command-and-control (C2) communications and a built-in feature for brute-forcing SSH servers rather than Telnet services, as is common in Mirai variants

    Reply
  37. Tomi Engdahl says:

    The Strange Story of the Teens Behind the Mirai Botnet
    https://spectrum.ieee.org/mirai-botnet

    Their DDoS malware threatened the entire Internet

    Reply
  38. Tomi Engdahl says:

    IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/

    Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.

    The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.

    The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored.
    The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.

    Reply
  39. Tomi Engdahl says:

    Mirai variant infects low-cost Android TV boxes for DDoS attacks https://www.bleepingcomputer.com/news/security/mirai-variant-infects-low-cost-android-tv-boxes-for-ddos-attacks/

    A new Mirai malware botnet variant has been spotted infecting inexpensive Android TV set-top boxes used by millions for media streaming. According to Dr. Web’s antivirus team, the current trojan is a new version of the ‘Pandora’
    backdoor that first appeared in 2015.

    The primary targets of this campaign are low-cost Android TV boxes like Tanix
    TX6 TV Box, MX10 Pro 6K, and H96 MAX X3, which feature quad-core processors capable of launching powerful DDoS attacks even in small swarm sizes.

    Reply
  40. Tomi Engdahl says:

    MALWARE & THREATSMirai Variant IZ1H9 Adds 13 Exploits to Arsenal
    https://www.securityweek.com/mirai-variant-iz1h9-adds-13-exploits-to-arsenal/

    A Mirai botnet variant tracked as IZ1H9 has updated its arsenal with 13 exploits targeting various routers, IP cameras, and other IoT devices.

    A variant of the Mirai botnet has recently updated its arsenal of tools with 13 exploits targeting vulnerabilities in IoT devices from D-Link, TP-Link, Zyxel, and various other manufactures, Fortinet reports.

    Tracked as IZ1H9 and first discovered in August 2018, this Mirai variant is one of the most active, exploiting unpatched vulnerabilities in IoT devices to ensnare them and abuse them in distributed denial-of-service (DDoS) attacks.

    Following the addition of exploits for several new security bugs earlier this year, IZ1H9 has recently expanded its arsenal once again, now packing approximately 30 exploits for D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel flaws.

    Exploitation of these vulnerabilities peaked on September 6, when Fortinet saw thousands of attack attempts.

    Of the newly added exploits, four target D-Link issues tracked as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These critical-severity flaws allow remote attackers to execute arbitrary code on affected devices.

    According to Fortinet, eight other exploits target arbitrary command execution bugs impacting the firmware that UDP Technology supplies to Geutebruck and other OEMs for their IP cameras.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*