An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet.
"The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful," Akamai said in an advisory published this week.
Details of the flaws are currently under wraps to allow the two vendors to publish patches and prevent other threat actors from abusing them. The fixes for one of the vulnerabilities are expected to be shipped next month.
The attacks were first discovered by the web infrastructure and security company against its honeypots in late October 2023. The perpetrators of the attacks have not been identified as yet.
The botnet, which has been codenamed InfectedSlurs due to the use of racial and offensive language in the command-and-control (C2) servers and hard-coded strings, is a JenX Mirai malware variant that came to light in January 2018.
Akamai said it also identified additional malware samples that appeared to be linked to the hailBot Mirai variant, the latter of which emerged in September 2023, according to a recent analysis from NSFOCUS.
"The hailBot is developed based on Mirai source code, and its name is derived from the string information 'hail china mainland' output after running," the Beijing-headquartered cybersecurity firm noted, detailing its ability to propagate via vulnerability exploitation and weak passwords.
The development comes as Akamai detailed a web shell called wso-ng, an "advanced iteration" of WSO (short for "web shell by oRb") that integrates with legitimate tools like VirusTotal and SecurityTrails while stealthily concealing its login interface behind a 404 error page upon attempting to access it.
One of the notable reconnaissance capabilities of the web shell involves retrieving AWS metadata for subsequent lateral movement as well as searching for potential Redis database connections so as to obtain unauthorized access to sensitive application data.
"Web shells allow attackers to run commands on servers to steal data or use the server as a launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization," Microsoft said back in 2021.
The use of off-the-shelf web shells is also seen as an attempt by threat actors to challenge attribution efforts and fly under the radar, a key hallmark of cyber espionage groups that specialize in intelligence gathering.
Another common tactic adopted by attackers is the use of compromised-but-legitimate domains for C2 purposes and malware distribution.
In August 2023, Infoblox disclosed a widespread attack involving compromised WordPress websites that conditionally redirect visitors to intermediary C2 and dictionary domain generation algorithm (DDGA) domains. The activity has been attributed to a threat actor named VexTrio.
Update
Akamai is warning that the threat actors behind the InfectedSlurs botnet are actively exploiting security flaws in Future X Communications (FXC) AE1021 and AE1021PE outlet wall routers (CVE-2023-49897, CVSS score: 8.8) and QNAP VioStor NVR appliances (CVE-2023-47565, CVSS score: 8.8) to marshall the devices to the DDoS attack swarm.
Both the vulnerabilities are operating system command injection bugs that could allow an authenticated attacker to achieve code execution.
"Internet of Things (IoT)-targeted campaigns result in countless instances in which everyday consumer devices are unwittingly enlisted in a number of malicious efforts," Akamai researchers said, urging users to change default passwords on devices during initial setup.
"DDoS botnets and cryptomining schemes are just some of the potential outcomes that can happen completely unbeknownst to the consumer whose device is affected. In some cases, the user may not even know the credentials could be changed on these devices at all."
