Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.
"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers," Palo Alto Networks' Unit 42 Threat Intelligence Team said in a write-up.
The rash of vulnerabilities being exploited include:
- VisualDoor - a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
- CVE-2020-25506 - a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
- CVE-2021-27561 and CVE-2021-27562 - Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
- CVE-2021-22502 - an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
- CVE-2019-19356 - a Netis WF2419 wireless router RCE exploit, and
- CVE-2020-26919 - a Netgear ProSAFE Plus RCE vulnerability
"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 18.104.22.168-43sv and 22.214.171.124-25sv releases," SonicWall said in a statement to The Hacker News. "It is not viable against any properly patched SonicWall appliances."
Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of MooBot.
The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.
Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.
"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences," the researcher said.
New ZHtrap Botnet Traps Victims Using a Honeypot
In a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as Matryosh.
While honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.
It achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -
- MVPower DVR Shell unauthenticated RCE
- Netgear DGN1000 Setup.cgi unauthenticated RCE
- CCTV DVR RCE affecting multiple vendors, and
- Realtek SDK miniigd SOAP command execution (CVE-2014-8361)
"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features," the researchers said. "Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device."
Once it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.
Noting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an "interesting" evolution of botnets to facilitate finding more targets.
These Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.
Last March, researchers discovered a Mirai variant called "Mukashi," which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named "Katana," which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.