A new variant of Mirai — the botnet malware used to launch massive DDoS attacks — has been targeting IoT devices connected to Linux servers, according to researchers from Palo Alto Network’s Unit 42 cybersecurity team. 13 vulnerabilities.
Once vulnerable devices are compromised by the variant known as V3G4, they can be fully controlled by the attacker and become part of a botnet that can be used to conduct further activities, including DDoS attacks.
“The attack complexity of these vulnerabilities is lower than previously observed variants, but they still have serious security implications that could lead to remote code execution,” Unit 42 said in its report on the new variants.
[Advance your career with top security certifications: What they do, how much they cost, and what you need. | Sign up for the CSO newsletter. ]
Unit 42 said V3G4 activity was observed at three events between July and December last year.
Lenovo Lnit2 E3-automation Full Movie Conform-3 Hq Mp4 1280x720p
25 minutes and 0 seconds, 14 seconds trading volume 0%
According to the researchers, all three campaigns appear to be tied to the same variant and Mirai botnet for multiple reasons. They noted that domains with hard-coded command and control (C2) infrastructure used to maintain communications with infected devices contain the same string format. Additionally, the shell scripts are downloaded in a similar manner and all attacks use the same botnet functionality.
Code 42 said the threat actors deploying V3G4 exploited vulnerabilities that could lead to remote code execution. Once executed, the malware has functionality to check whether the host device has been infected. If it is already infected, it will exit the device. It also attempts to disable a set of processes from a hardcoded list that includes other competing botnet malware families.
How the V2G4 Mirai variant works
The researchers noted that while most Mirai variants use the same key for string encryption, the V3G4 variant uses different XOR encryption keys for different scenarios (XOR is a Boolean logic operation often used in encryption). V3G4 packages a set of default or weak login credentials for performing brute force attacks via the Telnet and SSH network protocols and propagating to other machines. Unit 42 said that after this, it establishes contact with the C2 server and waits to receive commands to launch a DDoS attack on the target.
V3G4 has exploited vulnerabilities, including in the FreePBX management tool of Asterisk Communications Server (Vulnerability CVE-2012-4869); Atlassian Confluence (CVE-2022-26134); Webmin System Management Tool (CVE-2019-15107); DrayTek Vigor Router (CVE-2020-8515: and CVE-2020-15415); and C-Data Web Management System (CVE-2022-4257).
For a complete list of exploited vulnerabilities observed to date, recommendations for cybersecurity software that can detect and prevent infections, and code snippets used as indicators of compromise, see Palo Alto’s advisory. The Unit 42 team also recommends applying patches and updates to fix vulnerabilities whenever possible.
How the Mirai botnet developed
Over the past few years, Mirai has tried to expand its reach into SD-WAN, targeting enterprise video conferencing systems, and using Original Linux to infect multiple platforms.
The Mirai botnet is an iteration of a series of malware packages developed by Rutgers University undergraduate Paras Jha. Jha posted it online under the name “Anna-Senpai” and named it Mirai (Japanese for “future”). The botnet encapsulates some clever techniques, including a series of hardcoded passwords.
In December 2016, Jha and his associates pleaded guilty to crimes related to the Mirai attacks. But by then, the code was already out in the wild and being used as a building block for further botnet controllers.
This means anyone can use it to try to infect IoT devices and launch DDoS attacks, or sell the capability to the highest bidder. Many cybercriminals are already doing this, or are tweaking and improving their code to make it harder to hit.
The first wave of Mirai attacks appeared on September 19, 2016, targeting the French host OVH. Mirai was also responsible for a 2016 DDoS attack on DNS provider Dyn, which involved approximately 100,000 infected devices. As a result, major internet platforms and services are unavailable to users in Europe and North America.