October 10, 2023 at 04:36PM
The Mirai-based DDoS malware botnet known as IZ1H9 has expanded its targets to include Linux-based routers and routers from brands like D-Link, Zyxel, TP-Link, and TOTOLINK. Fortinet researchers have observed high exploitation rates in September, with tens of thousands of attempts on vulnerable devices. IZ1H9 compromises devices, enlists them in its DDoS swarm, and launches attacks on specified targets. The botnet exploits various vulnerabilities in the targeted devices and uses hardcoded credentials for brute-force attacks. Users are advised to use strong admin credentials, update firmware, and limit exposure to the public internet.
From the meeting notes, here are the key takeaways:
1. A Mirai-based DDoS malware botnet called IZ1H9 has recently added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
2. Fortinet researchers have observed a significant increase in exploitation rates around the first week of September, with tens of thousands of exploitation attempts against vulnerable devices.
3. IZ1H9 compromises devices and enlists them to its DDoS swarm, launching attacks on specified targets, likely on behalf of clients who rent its firepower.
4. The more devices and vulnerabilities targeted by a DDoS malware like IZ1H9, the greater its potential to build a large and powerful botnet capable of delivering massive blows against websites.
5. IZ1H9 exploits several known vulnerabilities in devices from different manufacturers, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix, TOTOLINK, and Prolink.
6. After exploiting a vulnerability, IZ1H9 injects a payload into the compromised device that fetches a shell script downloader named “l.sh” from a specified URL. The script hides its malicious activity by deleting logs, fetches bot clients suitable for different system architectures, and modifies the device’s iptables rules to obstruct connections and make malware removal difficult.
7. Once set up, the bot communicates with a command and control (C2) server and waits for instructions. It supports various DDoS attack types, including UDP, UDP Plain, HTTP Flood, and TCP SYN.
8. IZ1H9 also contains hardcoded credentials that can be used for brute-force attacks. These credentials may aid in propagating to adjacent devices or authenticating to IoT devices without a working exploit.
9. To protect against such attacks, owners of IoT devices are advised to use strong admin user credentials, update to the latest firmware, and minimize exposure to the public internet.
These are the main points extracted from the meeting notes.